# $Id: scan-lib,v 1.6 2000/03/07 04:08:27 fyodor Exp $ 
# this library is for hostile scans and protocol pokes

# look for stealth port scans/sweeps
# All stealth scans are covered by the Snort Portscan Preprocessor (spp_portscan),
# so these alerts are only needed if SPP has been disabled.
# SPP is configured by default from within snort-lib
#alert tcp any any -> $HOME_NET any (msg:"SYN FIN Scan"; flags: SF;)
#alert tcp any any -> $HOME_NET any (msg:"FIN Scan"; flags: F;)
#alert tcp any any -> $HOME_NET any (msg:"NULL Scan"; flags: 0;)
#alert tcp any any -> $HOME_NET any (msg:"XMAS Scan"; flags: FPU;)
#alert tcp any any -> $HOME_NET any (msg:"Full XMAS Scan"; flags: SRAFPU;)
#alert tcp any any -> $HOME_NET any (msg:"URG Scan"; flags: U;)
#alert tcp any any -> $HOME_NET any (msg:"PUSH Scan"; flags: P;)
#alert tcp any any -> $HOME_NET any (msg:"URG FIN Scan"; flags: FU;)
#alert tcp any any -> $HOME_NET any (msg:"PUSH FIN Scan"; flags: FP;)
#alert tcp any any -> $HOME_NET any (msg:"URG PUSH Scan"; flags: PU;)
alert tcp any any -> $HOME_NET any (flags: A; ack: 0; msg:"NMAP TCP ping!";)

# detect fingerprinting attempts
alert tcp any any -> $HOME_NET any (msg:"Possible NMAP Fingerprint attempt"; flags: SFPU;)
alert tcp any any -> $HOME_NET any (msg:"Possible Queso Fingerprint attempt"; flags: S12;)

# Windows Traceroutes
alert icmp any any -> $HOME_NET any (msg:"Windows Traceroute"; TTL: 1; itype: 8;)

# Standard Traceroutes
alert udp any any -> $HOME_NET any (msg:"Traceroute"; TTL: 1;)

# Watch for WinGate Scans
alert tcp any any -> $HOME_NET 1080 (msg:"WinGate 1080 Attempt"; flags: S;)
alert tcp any any -> $HOME_NET 8080 (msg:"WinGate 8080 Attempt"; flags: S;)
