What's the most effective way to detect nmap scans?
I am interested in detecting any nmap scans directed on a (my) GNU/Linux host. I would like to use snort in combination with barnyard2 and snorby for this, or if possible to perform a signature-based detection on snort unified2 logs. I noticed a similar packet to the following pops up when performing a nmap -A scan:
[ 0] 00 00 FF FF 00 00 00 00 00 00 00 00 00 00 08 00 ................
[ 16] 45 00 00 A2 5C 63 40 00 78 FF 39 03 B9 1E A6 45 E...c@.x.9....E
[ 32] 05 27 08 D3 50 72 69 6F 72 69 74 79 20 43 6F 75 .'..Priority Cou
[ 48] 6E 74 3A 20 39 0A 43 6F 6E 6E 65 63 74 69 6F 6E nt: 9.Connection
[ 64] 20 43 6F 75 6E 74 3A 20 38 0A 49 50 20 43 6F 75 Count: 8.IP Cou
[ 80] 6E 74 3A 20 32 0A 53 63 61 6E 6E 65 72 20 49 50 nt: 2.Scanner IP
[ 96] 20 52 61 6E 67 65 3A 20 38 34 2E 32 34 32 2E 37 Range: 84.242.7
[ 112] 36 2E 36 36 3A 31 38 35 2E 33 30 2E 31 36 36 2E 6.66:185.30.166.
[ 128] 36 39 0A 50 6F 72 74 2F 50 72 6F 74 6F 20 43 6F 69.Port/Proto Co
[ 144] 75 6E 74 3A 20 31 30 0A 50 6F 72 74 2F 50 72 6F unt: 10.Port/Pro
[ 160] 74 6F to
What's the packet above? Does it have to do with nmap, solely? (I highly doubt that)
Unfortunately snort configured with sfPortscan isn't as effective and/or accurate as I want it to be (Scans are detected but due to some reason I can't see details about it, such as source/destination :: http://i.imgur.com/sPCS13b.png , http://i.imgur.com/9BGkkQv.png . I have iptables configured with --hitcount and --seconds which makes "stream5: Reset outside window" pop up, thus I can detect a few scans.).
What are my options here?
networking nmap snort
edited Dec 20 '18 at 0:13
Rui F Ribeiro
39k1479130
asked Nov 7 '14 at 22:04
niemal010
4025
add a comment |
I am interested in detecting any nmap scans directed on a (my) GNU/Linux host. I would like to use snort in combination with barnyard2 and snorby for this, or if possible to perform a signature-based detection on snort unified2 logs. I noticed a similar packet to the following pops up when performing a nmap -A scan:
[ 0] 00 00 FF FF 00 00 00 00 00 00 00 00 00 00 08 00 ................
[ 16] 45 00 00 A2 5C 63 40 00 78 FF 39 03 B9 1E A6 45 E...c@.x.9....E
[ 32] 05 27 08 D3 50 72 69 6F 72 69 74 79 20 43 6F 75 .'..Priority Cou
[ 48] 6E 74 3A 20 39 0A 43 6F 6E 6E 65 63 74 69 6F 6E nt: 9.Connection
[ 64] 20 43 6F 75 6E 74 3A 20 38 0A 49 50 20 43 6F 75 Count: 8.IP Cou
[ 80] 6E 74 3A 20 32 0A 53 63 61 6E 6E 65 72 20 49 50 nt: 2.Scanner IP
[ 96] 20 52 61 6E 67 65 3A 20 38 34 2E 32 34 32 2E 37 Range: 84.242.7
[ 112] 36 2E 36 36 3A 31 38 35 2E 33 30 2E 31 36 36 2E 6.66:185.30.166.
[ 128] 36 39 0A 50 6F 72 74 2F 50 72 6F 74 6F 20 43 6F 69.Port/Proto Co
[ 144] 75 6E 74 3A 20 31 30 0A 50 6F 72 74 2F 50 72 6F unt: 10.Port/Pro
[ 160] 74 6F to
What's the packet above? Does it have to do with nmap, solely? (I highly doubt that)
Unfortunately snort configured with sfPortscan isn't as effective and/or accurate as I want it to be (Scans are detected but due to some reason I can't see details about it, such as source/destination :: http://i.imgur.com/sPCS13b.png , http://i.imgur.com/9BGkkQv.png . I have iptables configured with --hitcount and --seconds which makes "stream5: Reset outside window" pop up, thus I can detect a few scans.).
What are my options here?
networking nmap snort
edited Dec 20 '18 at 0:13
Rui F Ribeiro
39k1479130
asked Nov 7 '14 at 22:04
niemal010
4025
add a comment |
I am interested in detecting any nmap scans directed on a (my) GNU/Linux host. I would like to use snort in combination with barnyard2 and snorby for this, or if possible to perform a signature-based detection on snort unified2 logs. I noticed a similar packet to the following pops up when performing a nmap -A scan:
[ 0] 00 00 FF FF 00 00 00 00 00 00 00 00 00 00 08 00 ................
[ 16] 45 00 00 A2 5C 63 40 00 78 FF 39 03 B9 1E A6 45 E...c@.x.9....E
[ 32] 05 27 08 D3 50 72 69 6F 72 69 74 79 20 43 6F 75 .'..Priority Cou
[ 48] 6E 74 3A 20 39 0A 43 6F 6E 6E 65 63 74 69 6F 6E nt: 9.Connection
[ 64] 20 43 6F 75 6E 74 3A 20 38 0A 49 50 20 43 6F 75 Count: 8.IP Cou
[ 80] 6E 74 3A 20 32 0A 53 63 61 6E 6E 65 72 20 49 50 nt: 2.Scanner IP
[ 96] 20 52 61 6E 67 65 3A 20 38 34 2E 32 34 32 2E 37 Range: 84.242.7
[ 112] 36 2E 36 36 3A 31 38 35 2E 33 30 2E 31 36 36 2E 6.66:185.30.166.
[ 128] 36 39 0A 50 6F 72 74 2F 50 72 6F 74 6F 20 43 6F 69.Port/Proto Co
[ 144] 75 6E 74 3A 20 31 30 0A 50 6F 72 74 2F 50 72 6F unt: 10.Port/Pro
[ 160] 74 6F to
What's the packet above? Does it have to do with nmap, solely? (I highly doubt that)
Unfortunately snort configured with sfPortscan isn't as effective and/or accurate as I want it to be (Scans are detected but due to some reason I can't see details about it, such as source/destination :: http://i.imgur.com/sPCS13b.png , http://i.imgur.com/9BGkkQv.png . I have iptables configured with --hitcount and --seconds which makes "stream5: Reset outside window" pop up, thus I can detect a few scans.).
What are my options here?
networking nmap snort
edited Dec 20 '18 at 0:13
Rui F Ribeiro
39k1479130
asked Nov 7 '14 at 22:04
niemal010
4025
I am interested in detecting any nmap scans directed on a (my) GNU/Linux host. I would like to use snort in combination with barnyard2 and snorby for this, or if possible to perform a signature-based detection on snort unified2 logs. I noticed a similar packet to the following pops up when performing a nmap -A scan:
[ 0] 00 00 FF FF 00 00 00 00 00 00 00 00 00 00 08 00 ................
[ 16] 45 00 00 A2 5C 63 40 00 78 FF 39 03 B9 1E A6 45 E...c@.x.9....E
[ 32] 05 27 08 D3 50 72 69 6F 72 69 74 79 20 43 6F 75 .'..Priority Cou
[ 48] 6E 74 3A 20 39 0A 43 6F 6E 6E 65 63 74 69 6F 6E nt: 9.Connection
[ 64] 20 43 6F 75 6E 74 3A 20 38 0A 49 50 20 43 6F 75 Count: 8.IP Cou
[ 80] 6E 74 3A 20 32 0A 53 63 61 6E 6E 65 72 20 49 50 nt: 2.Scanner IP
[ 96] 20 52 61 6E 67 65 3A 20 38 34 2E 32 34 32 2E 37 Range: 84.242.7
[ 112] 36 2E 36 36 3A 31 38 35 2E 33 30 2E 31 36 36 2E 6.66:185.30.166.
[ 128] 36 39 0A 50 6F 72 74 2F 50 72 6F 74 6F 20 43 6F 69.Port/Proto Co
[ 144] 75 6E 74 3A 20 31 30 0A 50 6F 72 74 2F 50 72 6F unt: 10.Port/Pro
[ 160] 74 6F to
What's the packet above? Does it have to do with nmap, solely? (I highly doubt that)
Unfortunately snort configured with sfPortscan isn't as effective and/or accurate as I want it to be (Scans are detected but due to some reason I can't see details about it, such as source/destination :: http://i.imgur.com/sPCS13b.png , http://i.imgur.com/9BGkkQv.png . I have iptables configured with --hitcount and --seconds which makes "stream5: Reset outside window" pop up, thus I can detect a few scans.).
What are my options here?
networking nmap snort
networking nmap snort
edited Dec 20 '18 at 0:13
Rui F Ribeiro
39k1479130
asked Nov 7 '14 at 22:04
niemal010
4025
edited Dec 20 '18 at 0:13
Rui F Ribeiro
39k1479130
asked Nov 7 '14 at 22:04
niemal010
4025
edited Dec 20 '18 at 0:13
Rui F Ribeiro
39k1479130
edited Dec 20 '18 at 0:13
Rui F Ribeiro
39k1479130
edited Dec 20 '18 at 0:13
Rui F Ribeiro
39k1479130
39k1479130
asked Nov 7 '14 at 22:04
niemal010
4025
asked Nov 7 '14 at 22:04
niemal010
4025
asked Nov 7 '14 at 22:04
niemal010
4025
4025
add a comment |
add a comment |
3 Answers
3
active
oldest
votes
Have you looked at the emerging threats ruleset? Specifically their scan rules?
You will never detect detect scans with 100% accuracy. Generally speaking, thresholding is useful. On border firewalls on a large network, I look at e.g. number of distinct hosts contacted by a some remote host over a certain period. On a single host, the number of distinct ports on that host in a given period. On the iptables front, a good option is logging DROPed packets. You could do this in snort too. The basic idea is just to monitor some ports that you do not have open. Contact on those ports is by definition unsolicited. (Okay, so that deviates a little bit from the goal of just detecting nmap scans...)
answered Nov 8 '14 at 4:41
Greg Bowser
1444
Great idea (logging dropped packets)! Thanks.
– niemal010
Nov 8 '14 at 14:41
add a comment |
Do you want to detect an nmap scan as an academic exercise, or are you trying to actually detect attackers who are performing a port scan? The latter can be extremely difficult, since an attacker can slow down the scan and/or distribute the scan across a number of clients in order to defeat any heuristics that you might implement. So, be aware that if this is your goal you're going "down the rabbit hole" :-
Secondly, And are you simply interested in having the capability of detecting a scan or are you interested in the underlying details of how that can be accomplished? In other words, do you just want to get this done or are you studying this topic?
For the former, there are various IDS tools that you can install such as Snort and Bro, and numerous commercial offerings. Understand however that they will likely only be able to detect certain types of scans, such as a scan of monotonically increasing TCP port numbers, for example.
For the latter, if you want to understand what network traffic is generated by typical nmap scans so that you can then look for those patterns, then I suggest running nmap - perhaps over a small number of ports - and examining the traffic that it generates using a sniffer such as tcpdump. You can then implement signatures/rules within whatever system you're building.
Hope this helps!
What I am trying to accomplish is detecting potential reconnaissance oriented actions. Not only I am trying to understand (studying) the details of how that can be accomplished, but I also want the capability to do so. I already have snort installed. Greg Browser's answer regarding logging and monitoring dropped packets is a smart and good way to accomplish this, it seems. Thank you for your effort and answer.
– niemal010
Nov 8 '14 at 14:56
No worries. I suspect that many attackers will only scan for the ports that they are subsequently interested in attacking. So 80/443/etc. And since you're probably listening on those ports, they wouldn't show up as drops. I think the days when people scan 1-1024 or 1-65535 are long gone...
– user90703
Nov 8 '14 at 17:21
add a comment |
The passive operating system identifier, p0f, can identify nmap scans, at least of some types. Bear in mind that nmap can do a lot of different types of scans from simple ping scans to very exotic. What you're asking might not be 100% possible.
answered Nov 8 '14 at 4:19
Bruce Ediger
34.7k566119
I believe that's pretty much what I got right now (snort), thanks for answering though. Also, I have seen servers filtering/resisting scans in a really effective way. Probably it's not 100% possible, but you could get up to 90 plus.
– niemal010
Nov 8 '14 at 14:44
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f166734%2fwhats-the-most-effective-way-to-detect-nmap-scans%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
Have you looked at the emerging threats ruleset? Specifically their scan rules?
You will never detect detect scans with 100% accuracy. Generally speaking, thresholding is useful. On border firewalls on a large network, I look at e.g. number of distinct hosts contacted by a some remote host over a certain period. On a single host, the number of distinct ports on that host in a given period. On the iptables front, a good option is logging DROPed packets. You could do this in snort too. The basic idea is just to monitor some ports that you do not have open. Contact on those ports is by definition unsolicited. (Okay, so that deviates a little bit from the goal of just detecting nmap scans...)
answered Nov 8 '14 at 4:41
Greg Bowser
1444
Great idea (logging dropped packets)! Thanks.
– niemal010
Nov 8 '14 at 14:41
add a comment |
Have you looked at the emerging threats ruleset? Specifically their scan rules?
You will never detect detect scans with 100% accuracy. Generally speaking, thresholding is useful. On border firewalls on a large network, I look at e.g. number of distinct hosts contacted by a some remote host over a certain period. On a single host, the number of distinct ports on that host in a given period. On the iptables front, a good option is logging DROPed packets. You could do this in snort too. The basic idea is just to monitor some ports that you do not have open. Contact on those ports is by definition unsolicited. (Okay, so that deviates a little bit from the goal of just detecting nmap scans...)
answered Nov 8 '14 at 4:41
Greg Bowser
1444
Great idea (logging dropped packets)! Thanks.
– niemal010
Nov 8 '14 at 14:41
add a comment |
Have you looked at the emerging threats ruleset? Specifically their scan rules?
You will never detect detect scans with 100% accuracy. Generally speaking, thresholding is useful. On border firewalls on a large network, I look at e.g. number of distinct hosts contacted by a some remote host over a certain period. On a single host, the number of distinct ports on that host in a given period. On the iptables front, a good option is logging DROPed packets. You could do this in snort too. The basic idea is just to monitor some ports that you do not have open. Contact on those ports is by definition unsolicited. (Okay, so that deviates a little bit from the goal of just detecting nmap scans...)
answered Nov 8 '14 at 4:41
Greg Bowser
1444
Have you looked at the emerging threats ruleset? Specifically their scan rules?
You will never detect detect scans with 100% accuracy. Generally speaking, thresholding is useful. On border firewalls on a large network, I look at e.g. number of distinct hosts contacted by a some remote host over a certain period. On a single host, the number of distinct ports on that host in a given period. On the iptables front, a good option is logging DROPed packets. You could do this in snort too. The basic idea is just to monitor some ports that you do not have open. Contact on those ports is by definition unsolicited. (Okay, so that deviates a little bit from the goal of just detecting nmap scans...)
answered Nov 8 '14 at 4:41
Greg Bowser
1444
answered Nov 8 '14 at 4:41
Greg Bowser
1444
answered Nov 8 '14 at 4:41
Greg Bowser
1444
answered Nov 8 '14 at 4:41
Greg Bowser
1444
1444
Great idea (logging dropped packets)! Thanks.
– niemal010
Nov 8 '14 at 14:41
add a comment |
Great idea (logging dropped packets)! Thanks.
– niemal010
Nov 8 '14 at 14:41
Great idea (logging dropped packets)! Thanks.
– niemal010
Nov 8 '14 at 14:41
Great idea (logging dropped packets)! Thanks.
– niemal010
Nov 8 '14 at 14:41
add a comment |
Do you want to detect an nmap scan as an academic exercise, or are you trying to actually detect attackers who are performing a port scan? The latter can be extremely difficult, since an attacker can slow down the scan and/or distribute the scan across a number of clients in order to defeat any heuristics that you might implement. So, be aware that if this is your goal you're going "down the rabbit hole" :-
Secondly, And are you simply interested in having the capability of detecting a scan or are you interested in the underlying details of how that can be accomplished? In other words, do you just want to get this done or are you studying this topic?
For the former, there are various IDS tools that you can install such as Snort and Bro, and numerous commercial offerings. Understand however that they will likely only be able to detect certain types of scans, such as a scan of monotonically increasing TCP port numbers, for example.
For the latter, if you want to understand what network traffic is generated by typical nmap scans so that you can then look for those patterns, then I suggest running nmap - perhaps over a small number of ports - and examining the traffic that it generates using a sniffer such as tcpdump. You can then implement signatures/rules within whatever system you're building.
Hope this helps!
What I am trying to accomplish is detecting potential reconnaissance oriented actions. Not only I am trying to understand (studying) the details of how that can be accomplished, but I also want the capability to do so. I already have snort installed. Greg Browser's answer regarding logging and monitoring dropped packets is a smart and good way to accomplish this, it seems. Thank you for your effort and answer.
– niemal010
Nov 8 '14 at 14:56
No worries. I suspect that many attackers will only scan for the ports that they are subsequently interested in attacking. So 80/443/etc. And since you're probably listening on those ports, they wouldn't show up as drops. I think the days when people scan 1-1024 or 1-65535 are long gone...
– user90703
Nov 8 '14 at 17:21
add a comment |
Do you want to detect an nmap scan as an academic exercise, or are you trying to actually detect attackers who are performing a port scan? The latter can be extremely difficult, since an attacker can slow down the scan and/or distribute the scan across a number of clients in order to defeat any heuristics that you might implement. So, be aware that if this is your goal you're going "down the rabbit hole" :-
Secondly, And are you simply interested in having the capability of detecting a scan or are you interested in the underlying details of how that can be accomplished? In other words, do you just want to get this done or are you studying this topic?
For the former, there are various IDS tools that you can install such as Snort and Bro, and numerous commercial offerings. Understand however that they will likely only be able to detect certain types of scans, such as a scan of monotonically increasing TCP port numbers, for example.
For the latter, if you want to understand what network traffic is generated by typical nmap scans so that you can then look for those patterns, then I suggest running nmap - perhaps over a small number of ports - and examining the traffic that it generates using a sniffer such as tcpdump. You can then implement signatures/rules within whatever system you're building.
Hope this helps!
What I am trying to accomplish is detecting potential reconnaissance oriented actions. Not only I am trying to understand (studying) the details of how that can be accomplished, but I also want the capability to do so. I already have snort installed. Greg Browser's answer regarding logging and monitoring dropped packets is a smart and good way to accomplish this, it seems. Thank you for your effort and answer.
– niemal010
Nov 8 '14 at 14:56
No worries. I suspect that many attackers will only scan for the ports that they are subsequently interested in attacking. So 80/443/etc. And since you're probably listening on those ports, they wouldn't show up as drops. I think the days when people scan 1-1024 or 1-65535 are long gone...
– user90703
Nov 8 '14 at 17:21
add a comment |
Do you want to detect an nmap scan as an academic exercise, or are you trying to actually detect attackers who are performing a port scan? The latter can be extremely difficult, since an attacker can slow down the scan and/or distribute the scan across a number of clients in order to defeat any heuristics that you might implement. So, be aware that if this is your goal you're going "down the rabbit hole" :-
Secondly, And are you simply interested in having the capability of detecting a scan or are you interested in the underlying details of how that can be accomplished? In other words, do you just want to get this done or are you studying this topic?
For the former, there are various IDS tools that you can install such as Snort and Bro, and numerous commercial offerings. Understand however that they will likely only be able to detect certain types of scans, such as a scan of monotonically increasing TCP port numbers, for example.
For the latter, if you want to understand what network traffic is generated by typical nmap scans so that you can then look for those patterns, then I suggest running nmap - perhaps over a small number of ports - and examining the traffic that it generates using a sniffer such as tcpdump. You can then implement signatures/rules within whatever system you're building.
Hope this helps!
Do you want to detect an nmap scan as an academic exercise, or are you trying to actually detect attackers who are performing a port scan? The latter can be extremely difficult, since an attacker can slow down the scan and/or distribute the scan across a number of clients in order to defeat any heuristics that you might implement. So, be aware that if this is your goal you're going "down the rabbit hole" :-
Secondly, And are you simply interested in having the capability of detecting a scan or are you interested in the underlying details of how that can be accomplished? In other words, do you just want to get this done or are you studying this topic?
For the former, there are various IDS tools that you can install such as Snort and Bro, and numerous commercial offerings. Understand however that they will likely only be able to detect certain types of scans, such as a scan of monotonically increasing TCP port numbers, for example.
For the latter, if you want to understand what network traffic is generated by typical nmap scans so that you can then look for those patterns, then I suggest running nmap - perhaps over a small number of ports - and examining the traffic that it generates using a sniffer such as tcpdump. You can then implement signatures/rules within whatever system you're building.
Hope this helps!
answered Nov 8 '14 at 5:19
user90703
What I am trying to accomplish is detecting potential reconnaissance oriented actions. Not only I am trying to understand (studying) the details of how that can be accomplished, but I also want the capability to do so. I already have snort installed. Greg Browser's answer regarding logging and monitoring dropped packets is a smart and good way to accomplish this, it seems. Thank you for your effort and answer.
– niemal010
Nov 8 '14 at 14:56
No worries. I suspect that many attackers will only scan for the ports that they are subsequently interested in attacking. So 80/443/etc. And since you're probably listening on those ports, they wouldn't show up as drops. I think the days when people scan 1-1024 or 1-65535 are long gone...
– user90703
Nov 8 '14 at 17:21
add a comment |
What I am trying to accomplish is detecting potential reconnaissance oriented actions. Not only I am trying to understand (studying) the details of how that can be accomplished, but I also want the capability to do so. I already have snort installed. Greg Browser's answer regarding logging and monitoring dropped packets is a smart and good way to accomplish this, it seems. Thank you for your effort and answer.
– niemal010
Nov 8 '14 at 14:56
No worries. I suspect that many attackers will only scan for the ports that they are subsequently interested in attacking. So 80/443/etc. And since you're probably listening on those ports, they wouldn't show up as drops. I think the days when people scan 1-1024 or 1-65535 are long gone...
– user90703
Nov 8 '14 at 17:21
What I am trying to accomplish is detecting potential reconnaissance oriented actions. Not only I am trying to understand (studying) the details of how that can be accomplished, but I also want the capability to do so. I already have snort installed. Greg Browser's answer regarding logging and monitoring dropped packets is a smart and good way to accomplish this, it seems. Thank you for your effort and answer.
– niemal010
Nov 8 '14 at 14:56
What I am trying to accomplish is detecting potential reconnaissance oriented actions. Not only I am trying to understand (studying) the details of how that can be accomplished, but I also want the capability to do so. I already have snort installed. Greg Browser's answer regarding logging and monitoring dropped packets is a smart and good way to accomplish this, it seems. Thank you for your effort and answer.
– niemal010
Nov 8 '14 at 14:56
No worries. I suspect that many attackers will only scan for the ports that they are subsequently interested in attacking. So 80/443/etc. And since you're probably listening on those ports, they wouldn't show up as drops. I think the days when people scan 1-1024 or 1-65535 are long gone...
– user90703
Nov 8 '14 at 17:21
No worries. I suspect that many attackers will only scan for the ports that they are subsequently interested in attacking. So 80/443/etc. And since you're probably listening on those ports, they wouldn't show up as drops. I think the days when people scan 1-1024 or 1-65535 are long gone...
– user90703
Nov 8 '14 at 17:21
add a comment |
The passive operating system identifier, p0f, can identify nmap scans, at least of some types. Bear in mind that nmap can do a lot of different types of scans from simple ping scans to very exotic. What you're asking might not be 100% possible.
answered Nov 8 '14 at 4:19
Bruce Ediger
34.7k566119
I believe that's pretty much what I got right now (snort), thanks for answering though. Also, I have seen servers filtering/resisting scans in a really effective way. Probably it's not 100% possible, but you could get up to 90 plus.
– niemal010
Nov 8 '14 at 14:44
add a comment |
The passive operating system identifier, p0f, can identify nmap scans, at least of some types. Bear in mind that nmap can do a lot of different types of scans from simple ping scans to very exotic. What you're asking might not be 100% possible.
answered Nov 8 '14 at 4:19
Bruce Ediger
34.7k566119
I believe that's pretty much what I got right now (snort), thanks for answering though. Also, I have seen servers filtering/resisting scans in a really effective way. Probably it's not 100% possible, but you could get up to 90 plus.
– niemal010
Nov 8 '14 at 14:44
add a comment |
The passive operating system identifier, p0f, can identify nmap scans, at least of some types. Bear in mind that nmap can do a lot of different types of scans from simple ping scans to very exotic. What you're asking might not be 100% possible.
answered Nov 8 '14 at 4:19
Bruce Ediger
34.7k566119
The passive operating system identifier, p0f, can identify nmap scans, at least of some types. Bear in mind that nmap can do a lot of different types of scans from simple ping scans to very exotic. What you're asking might not be 100% possible.
answered Nov 8 '14 at 4:19
Bruce Ediger
34.7k566119
answered Nov 8 '14 at 4:19
Bruce Ediger
34.7k566119
answered Nov 8 '14 at 4:19
Bruce Ediger
34.7k566119
answered Nov 8 '14 at 4:19
Bruce Ediger
34.7k566119
34.7k566119
I believe that's pretty much what I got right now (snort), thanks for answering though. Also, I have seen servers filtering/resisting scans in a really effective way. Probably it's not 100% possible, but you could get up to 90 plus.
– niemal010
Nov 8 '14 at 14:44
add a comment |
I believe that's pretty much what I got right now (snort), thanks for answering though. Also, I have seen servers filtering/resisting scans in a really effective way. Probably it's not 100% possible, but you could get up to 90 plus.
– niemal010
Nov 8 '14 at 14:44
I believe that's pretty much what I got right now (snort), thanks for answering though. Also, I have seen servers filtering/resisting scans in a really effective way. Probably it's not 100% possible, but you could get up to 90 plus.
– niemal010
Nov 8 '14 at 14:44
I believe that's pretty much what I got right now (snort), thanks for answering though. Also, I have seen servers filtering/resisting scans in a really effective way. Probably it's not 100% possible, but you could get up to 90 plus.
– niemal010
Nov 8 '14 at 14:44
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f166734%2fwhats-the-most-effective-way-to-detect-nmap-scans%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
