Expected behaviour for Null, FIN and XMAS scans

Reply
L2 Linker

Expected behaviour for Null, FIN and XMAS scans

Running through a few very basics tests to prove Zone Protection etc with a customer, what is the expected default behaviour for reconaissance scans such as Null, FIN and XMAS scans?

 

Currently I can get the following nmap commands to run without issue and no logs beyond ping or icmp.

nmap -sX

nmap -sF

nmap -sN

 

What would be the appropriate measure to block/alert these? assuming there is a cryptic box top tick under the ZPP dialogs

Community Manager

Re: Expected behaviour for Null, FIN and XMAS scans

'rogue' flags are removed from packets without needing a Zone Protection Profile in place


Help the community: Like helpful comments and mark solutions
Reaper out
L2 Linker

Re: Expected behaviour for Null, FIN and XMAS scans

It's probably somewhere subtle, but is this documented anywhere?
Highlighted
L2 Linker

Re: Expected behaviour for Null, FIN and XMAS scans

Confirming that a packet capture on the "victim" machine shows no packets with TCP flags for ACK, FIN or PSH set when performing Christmas Tree. Packet capture on Firewall at stage "Receive" shows that the packets are indeed received by the firewall.

 

nmap command used:

nmap -sX -v [host]

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!