First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Filter to help identify TCP Connect scan

Would the filter tcp.flags.rst == 1 and tcp.flags.ack == 1 help identify TCP Connect Scan packets?

wonskki's avatar
1
wonskki
asked 2022-03-31 18:43:40 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

If it is a connect scan that uses RST to end the connection, like nmap's connect scan will, then that should catch the end of those streams. This is pretty typical of a scanner that wants to tear down connections and move on but technically connect scans could use FIN to end connections. (This isn't common though. I would look for RST.)

You may want to add for something like tcp.time_relative < 2. This will scoop up streams that see a RST very shortly after the connection is established and weed out false positives from actual data transferring streams that happen to end with a RST.

Ginny S's avatar
1
Ginny S
answered 2022-04-13 20:52:32 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer