GEN:SID | 1:1228 |
Message | SCAN nmap XMAS |
Summary | A nmap XMAS scan was detected.
|
Impact | System reconnaissance that may include open/closed/firewalled ports, ACLs.
|
Detailed Information | Nmap sets the URG PSH and FIN bits as part of it's XMAS scan. Typically, a closed port will respond with an ACK RST, whereas an open port may not respond at all. However, this varies from machine to machine, and also depends on what (if any) filtering policies are in place between the hosts in question.
|
Affected Systems | All systems
|
Attack Scenarios | As part of information gathering that may occur before a more dedicated attack, an attacker may choose to use nmap's XMAS scan to determine open/closed ports.
__ Ease of Attack: Trivial. Nmap is freely available to anyone who wishes to use it. The only requirement is root/elevated privledges (the XMAS scan requires this) and a lack of proper filtering between the two machines.
|
Ease of Attack | |
Corrective Action | Determine what ports may have responded as being open, and what clues that may give an attacker relating to potential attacks. Additionally, investigate the use of proper ingress/egress filtering.
|
Additional References | SANS: http://rr.sans.org/firewall/egress.php
|
Rule References | arachnids: 30
|