There are 6 packets sent by Nmap for os detection:
The six T2 through T7 tests each send one TCP probe packet. With one exception, the TCP options data in each case is (in hex) 03030A0102040109080AFFFFFFFF000000000402. Those 20 bytes correspond to window scale (10), NOP, MSS (265), Timestamp (TSval: 0xFFFFFFFF; TSecr: 0), then SACK permitted. The exception is that T7 uses a Window scale value of 15 rather than 10. The variable characteristics of each probe are described below:
1) T2 sends a TCP null (no flags set) packet with the IP DF bit set and a window field of 128 to an open port.
2) T3 sends a TCP packet with the SYN, FIN, URG, and PSH flags set and a window field of 256 to an open port. The IP DF bit is not set.
3) T4 sends a TCP ACK packet with IP DF and a window field of 1024 to an open port.
4) T5 sends a TCP SYN packet without IP DF and a window field of 31337 to a closed port.
5) T6 sends a TCP ACK packet with IP DF and a window field of 32768 to a closed port.
6) T7 sends a TCP packet with the FIN, PSH, and URG flags set and a window field of 65535 to a closed port. The IP DF bit is not set.
In each of these cases, a line is added to the fingerprint with results for the R, DF, T, TG, W, S, A, F, O, RD, and Q tests.
What are the 6 snort rules for detecting ONLY these packets?
User contributions licensed under CC BY-SA 3.0