Recently (not that recent maa) we received this kind of alerts which trigger some discussion between us.
[**] [1:2000538:5] ET SCAN NMAP -sA (1) [**]
[Classification: Attempted Information Leak] [Priority: 2]
03/10-13:59:00.891305 192.168.4.20:80 -> 192.168.4.127:256
TCP TTL:44 TOS:0×0 ID:56012 IpLen:20 DgmLen:40
***A**** Seq: 0x11BBA413 Ack: 0x5A5D56A9 Win: 0×400 TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS162]
There are 250 same alerts triggered which triggers my curiosity as well (also means that I require your inputs as well)
Here is the rule that trigger the alert
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:”ET SCAN NMAP -sA (1)”; fragbits: !D; dsize: 0; flags: A,12; window: 1024; reference:arachnids,162; classtype: attempted-recon; sid: 2000538; rev:5;)
Anyway as we dun have the benefits of looking into the actual traffic, what I can do is try to guess or simulates the traffics that may trigger the alerts.
So the main issue is as the alerts show that 192.168.4.20 is performing nmap -sA scanning to 192.168.4.127 from port 80, some of my colleague did tell me that it’s the other way around
Meaning that actually 192.168.4.20 is responding to the request from 192.168.4.127. I tried few times trying to craft a request that may trigger the response which trigger the alerts
So if any of you can help me crafting a request that can provide this kind of response :
13:59:00.892083 IP 192.168.4.20.80 > 192.168.4.127.53: . ack 1817132945 win 3072
13:59:01.992738 IP 192.168.4.20.80 > 192.168.4.127.53: . ack 3666296980 win 1024
13:59:01.993247 IP 192.168.4.20.80 > 192.168.4.127.80: . ack 3322425882 win 3072
13:59:01.993654 IP 192.168.4.20.80 > 192.168.4.127.554: . ack 3954598287 win 1024
13:59:01.994093 IP 192.168.4.20.80 > 192.168.4.127.389: . ack 1397273947 win 4096
13:59:01.994193 IP 192.168.4.20.80 > 192.168.4.127.256: . ack 3032925021 win 1024
13:59:01.994658 IP 192.168.4.20.80 > 192.168.4.127.443: . ack 3616913710 win 3072
13:59:01.995096 IP 192.168.4.20.80 > 192.168.4.127.21: . ack 3566764576 win 3072
I am more than glad and grateful to received/read/listen you views/opinions/advice.
Anyway here is the simulation that I tried and a simple analysis on it. anal1.pdf
. I seldom use wireshark compared to TShark, more on tcpdump.. You know the CLI thingy. But then I’ve read many times about this one tool. Some people said that it would replace wireshark later on but those guys behind this tool said it should never replace wireshark but should be used WITH wireshark instead. So what the heck, I just browse to this tool’s developer web site and decided to download it. Ok you need to register and activate this software as well but I think adding applications into my facebook interface is much more complicated ;P (yeah yeah, I have a facebook account. No big deal 
