EmergingThreats> Main Web>2000538 (2014-09-30, MattJonkman) EditAttach

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sA (1)"; fragbits:!D; dsize:0; flags:A,12; window:1024; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000538; classtype:attempted-recon; sid:2000538; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2018-09-13 19:37:07 UTC

Added 2018-09-13 17:52:21 UTC

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sA (1)"; fragbits:!D; dsize:0; flags:A,12; window:1024; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000538; classtype:attempted-recon; sid:2000538; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 20:55:14 UTC

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sA (1)"; fragbits:!D; dsize:0; flags:A,12; window:1024; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000538; classtype:attempted-recon; sid:2000538; rev:8;)

Added 2011-10-12 19:09:40 UTC

I get this constantly from Google

-- GerisPapajani - 2014-09-30

This is disabled by default. It's a noisy sig and does FP pretty frequently.

We haven't deleted it yet as it IS quite accurate when you're doing an actual -sA scan...

I'd recommend not running in production nets.

-- MattJonkman - 2014-09-30

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sA (1)"; fragbits:!D; dsize:0; flags:A,12; window:1024; threshold: type both, track by_dst, count 1, seconds 60; classtype:attempted-recon; reference:url,doc.emergingthreats.net/2000538; sid:2000538; rev:8;)

Added 2011-09-15 14:46:15 UTC

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sA (1)"; fragbits:!D; dsize:0; flags:A,12; window:1024; threshold: type both, track by_dst, count 1, seconds 60; classtype:attempted-recon; reference:url,doc.emergingthreats.net/2000538; sid:2000538; rev:8;)

Added 2011-09-14 20:37:10 UTC

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sA (1)"; fragbits:!D; dsize:0; flags:A,12; window:1024; threshold: type both, track by_dst, count 1, seconds 60; classtype:attempted-recon; reference:url,doc.emergingthreats.net/2000538; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_NMAP; sid:2000538; rev:8;)

Added 2011-02-04 17:21:15 UTC

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sA (1)"; fragbits:!D; dsize:0; flags:A,12; window:1024; threshold: type both, track by_dst, count 1, seconds 60; classtype:attempted-recon; reference:url,doc.emergingthreats.net/2000538; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_NMAP; sid:2000538; rev:8;)

Added 2010-04-26 10:34:58 UTC

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sA (1)"; fragbits:!D; dsize:0; flags:A,12; window:1024; threshold: type both, track by_dst, count 1, seconds 60; classtype:attempted-recon; reference:url,doc.emergingthreats.net/2000538; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_NMAP; sid:2000538; rev:8;)

Added 2010-04-26 10:34:58 UTC

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sA (1)"; fragbits:!D; dsize:0; flags:A,12; window:1024; classtype:attempted-recon; reference:url,doc.emergingthreats.net/2000538; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_NMAP; sid:2000538; rev:7;)

Added 2009-07-14 13:39:11 UTC

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sA (1)"; fragbits:!D; dsize:0; flags:A,12; window:1024; classtype:attempted-recon; reference:url,doc.emergingthreats.net/2000538; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_NMAP; sid:2000538; rev:7;)

Added 2009-07-14 13:39:11 UTC

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sA (1)"; fragbits: D; dsize: 0; flags: A,12; window: 1024; classtype: attempted-recon; reference:url,doc.emergingthreats.net/2000538; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_NMAP; sid: 2000538; rev:7;)

Added 2009-02-12 18:21:19 UTC

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sA (1)"; fragbits: D; dsize: 0; flags: A,12; window: 1024; classtype: attempted-recon; reference:url,doc.emergingthreats.net/2000538; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_NMAP; sid: 2000538; rev:7;)

Added 2009-02-12 18:21:19 UTC

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sA (1)"; fragbits: D; dsize: 0; flags: A,12; window: 1024; classtype: attempted-recon; sid: 2000538; rev:6;)

Added 2008-11-11 21:00:22 UTC

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sA (1)"; fragbits: D; dsize: 0; flags: A,12; window: 1024; classtype: attempted-recon; sid: 2000538; rev:6;)

Added 2008-11-11 21:00:22 UTC

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sA (1)"; fragbits: D; dsize: 0; flags: A,12; window: 1024; reference:arachnids,162; classtype: attempted-recon; sid: 2000538; rev:5;)

Added 2008-01-29 10:56:40 UTC

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sA (1)"; fragbits: D; dsize: 0; flags: A,12; window: 1024; reference:arachnids,162; classtype: attempted-recon; sid: 2000538; rev:5;)

Added 2008-01-29 10:56:40 UTC

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE SCAN NMAP -sA (1)"; fragbits: D; dsize: 0; flags: A,12; window: 1024; reference:arachnids,162; classtype: attempted-recon; sid: 2000538; rev:4; )

Edit | Attach | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r3 - 2014-09-30 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats