Internet Protocol Identification Number Based Ideal Stealth Port Scan Detection Using Snort

Abstract

Port scanning is a reconnaissance phase of networking and many researchers have implemented different techniques to secure the network from port scan attacks. Intrusion Detection System (IDS) is also one of them and SNORT is an open source tool for Intrusion Detection and Prevention System. Today port scanning is a growing technology in network security to perform penetration testing and hacking and mostly researchers have focused in this field to detect stealth port scan attacks named as FIN scan, XMUS and NULL scan. To detect these attacks some of them used signature or rule-based technique and some are anomaly based techniques to improve security of network. In above techniques rules used FIN, PSH, and URG flag to detect attack but in case of idle port scan attack rules used FIN and RST flags which is also part of TCP connect() method so using this flag directly will generate the false alarm. In this paper we propose an IP identification number based detection plug-in to detect idle port scan attack. In this proposed techniques we will able to detect the idle port scan attack using FIN and RST flag with IP ID number of packet.