04-17-2017 06:32 PM - edited 04-17-2017 06:34 PM
Running through a few very basics tests to prove Zone Protection etc with a customer, what is the expected default behaviour for reconaissance scans such as Null, FIN and XMAS scans?
Currently I can get the following nmap commands to run without issue and no logs beyond ping or icmp.
nmap -sX
nmap -sF
nmap -sN
What would be the appropriate measure to block/alert these? assuming there is a cryptic box top tick under the ZPP dialogs
04-18-2017 06:31 AM
'rogue' flags are removed from packets without needing a Zone Protection Profile in place
04-18-2017 05:05 PM
Confirming that a packet capture on the "victim" machine shows no packets with TCP flags for ACK, FIN or PSH set when performing Christmas Tree. Packet capture on Firewall at stage "Receive" shows that the packets are indeed received by the firewall.
nmap command used:
nmap -sX -v [host]
04-18-2017 06:31 AM
'rogue' flags are removed from packets without needing a Zone Protection Profile in place
04-18-2017 03:49 PM
04-18-2017 05:05 PM
Confirming that a packet capture on the "victim" machine shows no packets with TCP flags for ACK, FIN or PSH set when performing Christmas Tree. Packet capture on Firewall at stage "Receive" shows that the packets are indeed received by the firewall.
nmap command used:
nmap -sX -v [host]
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
