Snort Rules for ACK Scans, Oh My!

We were required to describe at least 2 rules that could be used by Snort to detect an ACK scan, clearly express assumptions and explain rules. This was my response:

Answer: ACK scans are generally used to identify ports or hosts that may be filtered and resistant to any other form of scanning.  The mechanism is straightforward – a target system is presented with a packet with the ACK flag set with a sequence number of zero (typically) to an interesting port (for example, port 25).  Since generally the sequence number is not zero, there is a violation of TCP rules associated with that parameter, and the target sends back a RST.  The presence of the RST provides an attacker with a good indication that the host is alive, but behind some form of filtering (a firewall, a router, or even some proxies, for example).  Two potential Snort rules for detecting this behavior are:

alert tcp 172.16.16.0/24 any -> 172.16.17.0/24 any (flags:A; ack:0; msg: “Potential Ack Scan”; sid:     10001;), or

alert tcp 172.16.16.0/24 any -> 172.16.17.0/24 any (flags:AR; msg: “Ack and RST detected-Potential Ack Scan”; sid: 10002;)

In the first rule, the assumption is that the Acknowledgment flag will be set and the sequence value will be set to “0”, which will cause the target to return a “RST” per RFC 793.  Since the sequence value is generally non-zero, this provides a strong indication that the flag was arbitrarily set by a tool for reconnaissance purposes.  The second rule, while like the first, looks for the existence of a “RST” with the Acknowledgment flag set – rather than looking for the existence of a zero-sequence value.  The existence of these two flags together simultaneously can also be an indicator of an ACK scan being used for reconnaissance purposes, or “firewalking”.

Bro as a NIDS could potentially be better suited to detect Ack scans, as it is both signature and anomaly based.  An analyst could potentially tune Bro to not only detect the existence of an Ack flag or sequence number of 0, but also correlate it somehow to other reconnaissance activities against a potential target that were subsequently blocked by the firewall, or tuned out as excessive scan noise.  Further, the existence of RSTs from the potential target in conjunction with Ack flags set could be automated in a correlation to alert on the behavior rather than a pure signature.

Share the love!