GEN:SID 1:628
Message SCAN nmap TCP
Summary This event is generated when the nmap port scanner and reconnaissance
tool is used against a host.
Impact This could be part of a full scan by nmap and could indicate
potential malicious reconnaissance of the targeted network or host.
Detailed Information Some versions of Nmap's TCP ping, if selected, sends a TCP ACK with an
ACK number = 0.

Nmap can use TCP ping as a second alternative to ICMP Ping.
Affected Systems All systems not protected by a stateful firewall are affected. The TCP
Ping targeted port does  not need to be open on the host being probed to
determine if the machine is alive or not.
Attack Scenarios The first thing an attacker does is to gather some information about its
target, he may use Nmap to see if the potential target is alive on
certain network. Included as part of the "pinging" technique used by
Nmap, a TCP ping can be used on certain networks that don't allow the
ICMP Protocol.
Ease of Attack Simple. Nmap requires no specialized experience to use it.
Corrective Action Any stateful firewall should be enough to protect a host from being "TCP
ACK probed". If you have more suspicious/malicious activity from the
host doing the portscan, follow your standard procedure to asess the
potential threat. If you only detect TCP Pings, that may be just a TCP
Ping Sweep and it is not a real threat.
Additional References arachnids: ids28
Rule References arachnids: 28