#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sA (1)"; fragbits:!D; dsize:0; flags:A,12; window:1024; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000538; classtype:attempted-recon; sid:2000538; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
Added 2018-09-13 19:37:07 UTC
Added 2018-09-13 17:52:21 UTC
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sA (1)"; fragbits:!D; dsize:0; flags:A,12; window:1024; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000538; classtype:attempted-recon; sid:2000538; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
Added 2017-08-07 20:55:14 UTC
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sA (1)"; fragbits:!D; dsize:0; flags:A,12; window:1024; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000538; classtype:attempted-recon; sid:2000538; rev:8;)
Added 2011-10-12 19:09:40 UTC
I get this constantly from Google
--
GerisPapajani - 2014-09-30
This is disabled by default. It's a noisy sig and does FP pretty frequently.
We haven't deleted it yet as it IS quite accurate when you're doing an actual -sA scan...
I'd recommend not running in production nets.
--
MattJonkman - 2014-09-30
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sA (1)"; fragbits:!D; dsize:0; flags:A,12; window:1024; threshold: type both, track by_dst, count 1, seconds 60; classtype:attempted-recon; reference:url,doc.emergingthreats.net/2000538; sid:2000538; rev:8;)
Added 2011-09-15 14:46:15 UTC
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sA (1)"; fragbits:!D; dsize:0; flags:A,12; window:1024; threshold: type both, track by_dst, count 1, seconds 60; classtype:attempted-recon; reference:url,doc.emergingthreats.net/2000538; sid:2000538; rev:8;)
Added 2011-09-14 20:37:10 UTC
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sA (1)"; fragbits:!D; dsize:0; flags:A,12; window:1024; threshold: type both, track by_dst, count 1, seconds 60; classtype:attempted-recon; reference:url,doc.emergingthreats.net/2000538; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_NMAP; sid:2000538; rev:8;)
Added 2011-02-04 17:21:15 UTC
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sA (1)"; fragbits:!D; dsize:0; flags:A,12; window:1024; threshold: type both, track by_dst, count 1, seconds 60; classtype:attempted-recon; reference:url,doc.emergingthreats.net/2000538; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_NMAP; sid:2000538; rev:8;)
Added 2010-04-26 10:34:58 UTC
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sA (1)"; fragbits:!D; dsize:0; flags:A,12; window:1024; threshold: type both, track by_dst, count 1, seconds 60; classtype:attempted-recon; reference:url,doc.emergingthreats.net/2000538; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_NMAP; sid:2000538; rev:8;)
Added 2010-04-26 10:34:58 UTC
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sA (1)"; fragbits:!D; dsize:0; flags:A,12; window:1024; classtype:attempted-recon; reference:url,doc.emergingthreats.net/2000538; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_NMAP; sid:2000538; rev:7;)
Added 2009-07-14 13:39:11 UTC
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sA (1)"; fragbits:!D; dsize:0; flags:A,12; window:1024; classtype:attempted-recon; reference:url,doc.emergingthreats.net/2000538; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_NMAP; sid:2000538; rev:7;)
Added 2009-07-14 13:39:11 UTC
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sA (1)"; fragbits: D; dsize: 0; flags: A,12; window: 1024; classtype: attempted-recon; reference:url,doc.emergingthreats.net/2000538; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_NMAP; sid: 2000538; rev:7;)
Added 2009-02-12 18:21:19 UTC
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sA (1)"; fragbits: D; dsize: 0; flags: A,12; window: 1024; classtype: attempted-recon; reference:url,doc.emergingthreats.net/2000538; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_NMAP; sid: 2000538; rev:7;)
Added 2009-02-12 18:21:19 UTC
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sA (1)"; fragbits: D; dsize: 0; flags: A,12; window: 1024; classtype: attempted-recon; sid: 2000538; rev:6;)
Added 2008-11-11 21:00:22 UTC
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sA (1)"; fragbits: D; dsize: 0; flags: A,12; window: 1024; classtype: attempted-recon; sid: 2000538; rev:6;)
Added 2008-11-11 21:00:22 UTC
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sA (1)"; fragbits: D; dsize: 0; flags: A,12; window: 1024; reference:arachnids,162; classtype: attempted-recon; sid: 2000538; rev:5;)
Added 2008-01-29 10:56:40 UTC
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sA (1)"; fragbits: D; dsize: 0; flags: A,12; window: 1024; reference:arachnids,162; classtype: attempted-recon; sid: 2000538; rev:5;)
Added 2008-01-29 10:56:40 UTC
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE SCAN NMAP -sA (1)"; fragbits: D; dsize: 0; flags: A,12; window: 1024; reference:arachnids,162; classtype: attempted-recon; sid: 2000538; rev:4; )