# $Id: scan-lib,v 1.3 2000/01/15 11:46:26 fyodor Exp $ 
# this library is for hostile scans and protocol pokes

# look for stealth port scans/sweeps
alert tcp any any -> $HOME_NET any (msg:"SYN FIN Scan"; flags: SF;)
alert tcp any any -> $HOME_NET any (msg:"FIN Scan"; flags: F;)
alert tcp any any -> $HOME_NET any (msg:"NULL Scan"; flags: 0;)
alert tcp any any -> $HOME_NET any (msg:"XMAS Scan"; flags: FPU;)
alert tcp any any -> $HOME_NET any (msg:"Full XMAS Scan"; flags: SRAFPU;)
alert tcp any any -> $HOME_NET any (msg:"URG Scan"; flags: U;)
alert tcp any any -> $HOME_NET any (msg:"PUSH Scan"; flags: P;)
alert tcp any any -> $HOME_NET any (msg:"URG FIN Scan"; flags: FU;)
alert tcp any any -> $HOME_NET any (msg:"PUSH FIN Scan"; flags: FP;)
alert tcp any any -> $HOME_NET any (msg:"URG PUSH Scan"; flags: PU;)
alert tcp any any -> $HOME_NET any (flags: A; ack: 0; msg:"NMAP TCP ping!";)

# detect fingerprinting attempts
alert tcp any any -> $HOME_NET any (msg:"Possible NMAP Fingerprint attempt"; flags: SFPU;)
alert tcp any any -> $HOME_NET any (msg:"Possible Queso Fingerprint attempt"; flags: S12;)

# Windows Traceroutes
alert icmp any any -> $HOME_NET any (msg:"Windows Traceroute"; TTL: 1; itype: 8;)

# Standard Traceroutes
alert udp any any -> $HOME_NET any (msg:"Traceroute"; TTL: 1;)

# Watch for WinGate Scans
alert tcp any any -> $HOME_NET 1080 (msg:"WinGate 1080 Attempt"; flags: S;)
alert tcp any any -> $HOME_NET 8080 (msg:"WinGate 8080 Attempt"; flags: S;)
