Next: 3.15 What the heck
Up: 3 Configuring Snort
Previous: 3.13 Why does the
A Stealth scan can refer to more than one type of scan.
- Half-Open or SYN scan: Instead of completing the full TCP
three-way-handshake a full connection is not made. A SYN packet is sent to
the system and if a SYN/ACK packet is received it is assumed that the port
on the system is active. In that case a RST/ACK will be sent which will
determined the listening state the system is in. If a RST/ACK packet is
received, it is assumed that the port on the system is not active.
- FIN scan: According to RFC 793 a system should send back an RST for all TCP
ports closed when they receive a FIN packet for a specific port.
- XMAS tree scan: According to RFC 793 a system should send back an RST for
all TCP ports closed when they receive a FIN/URG/PUSH packet for a specific
port.
- NULL scan: According to RFC 793 a system should send back an RST for all TCP
ports closed when they receive a packet without any specified IP flags for
a specific port.
- Slow scan: Any of the above scans could be used as a slow scan. A slow scan
is when the attacker sends packets at a very slow rate. Sometimes these
scans can be conducted over hours, days, or weeks. The idea is since they
are so slow, the victim's security measures won't ``notice'' the scan.
Next: 3.15 What the heck
Up: 3 Configuring Snort
Previous: 3.13 Why does the
Nigel Houghton
2006-10-02
|
