[root@localhost root]# nmap -sT -P0 -p 21 10.0.0.50 |
192.168.10.80 -> 10.0.0.50 TCP 32875 > ftp [SYN] Seq=838535498 Ack=0 Win=5840 Len=0 |
[root@localhost root]# nmap -sS -P0 -p 21 10.0.0.50 |
192.168.10.80 -> 10.0.0.50 TCP 60605 > ftp [SYN] Seq=2118392454 Ack=0 Win=1024 Len=0 |
[root@localhost root]# nmap -sF -P0 -p 21 10.0.0.50 |
192.168.10.80 -> 10.0.0.50 TCP 54384 > ftp [FIN] Seq=0 Ack=0 Win=1024 Len=0 |
[root@localhost root]# nmap -sX -P0 -p 21 10.0.0.50 |
192.168.10.80 -> 10.0.0.50 TCP 44307 > ftp [FIN, PSH, URG] Seq=0 Ack=0 Win=4096 Urg=0 Len=0 |
[root@localhost root]# nmap -sN -P0 -p 21 10.0.0.50 |
192.168.10.80 -> 10.0.0.50 TCP 52277 > ftp [] Seq=0 Ack=0 Win=3072 Len=0 |
PREROUTING -> FORWARD -> POSTROUTING |
-p tcp --syn -m state --state NEW -j ACCEPT |
iptables -t nat -A PREROUTING -p tcp --syn -p tcp --dport 21 -m state --state NEW -j ACCEPT |
iptables -A FORWARD -p icmp
-j DROP iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j DROP iptables -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j DROP iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j DROP iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j DROP iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP iptables -A FORWARD -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP iptables -A FORWARD -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP iptables -A FORWARD -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP |
-m limit --limit 10/s
--limit-burst 15 |
iptables -t nat -N TCP_CHK iptables -t nat -A TCP_CHK -p tcp --syn -m state --state NEW -m limit --limit 10/s --limit-burst 15 -j ACCEPT iptables -t nat -A TCP_CHK -j DROP iptables -t nat -A PREROUTING -p tcp -j TCP_CHK |
Scan Type |
Snort Log File |
Monitored
Event |
Full TCP Connection Scan |
alert |
portscan status from 192.168.10.80 |
SYN Scan |
portscan.log |
192.168.10.80:36615 -> 10.0.0.50:21 SYN ******S* |
FIN Scan |
portscan.log | 192.168.10.80:59047 -> 10.0.0.50:21 FIN *******F |
XMAS Scan |
portscan.log | 192.168.10.80:60003 -> 10.0.0.50:21 XMAS **U*P**F |
NULL Scan |
portscan.log | 192.168.10.80:61837 -> 10.0.0.50:1600 NULL ******** |