In a SYN port scan, it is expected that the attacker sends a SYN request, and the victim responds with a SYN|ACK reply. Currently, the victim is responding with the RST|ACK flags set instead.
The parameters used for the PortscanAttack are as follows:
-a "PortscanAttack" ip.src="66.66.66.66" mac.src="32:08:24:DC:8D:27" inject.at-timestamp=1476301843
The following is what is observed in Wireshark in the resulting pcap file:
In a SYN port scan, it is expected that the attacker sends a SYN request, and the victim responds with a SYN|ACK reply. Currently, the victim is responding with the RST|ACK flags set instead.
The parameters used for the PortscanAttack are as follows:
-a "PortscanAttack" ip.src="66.66.66.66" mac.src="32:08:24:DC:8D:27" inject.at-timestamp=1476301843
The following is what is observed in Wireshark in the resulting pcap file:
101 2016-11-02 16:44:36.718 66.66.66.66 192.168.178.13 TCP 60 0 8542→8080 [SYN] Seq=0 Win=8192 Len=0
102 2016-11-02 16:44:36.718 192.168.178.13 66.66.66.66 TCP 60 0 8080→8542 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
The problem lies in file "PortscanAttack.py" in line 127. I see no reason for converting "dport" to a string.
In the line
if str(dport) in self.get_param_value(Param.PORT_OPEN):
wouldn't it make more sense to drop the "str(dport)" and just have:
if dport in self.get_param_value(Param.PORT_OPEN):
The problem lies in file "PortscanAttack.py" in line 127. I see no reason for converting "dport" to a string.
In the line
if str(dport) in self.get_param_value(Param.PORT_OPEN):
wouldn't it make more sense to drop the "str(dport)" and just have:
if dport in self.get_param_value(Param.PORT_OPEN):
@carlos.garcia I can confirm. The _is_port method which writes the port value in the params list always returns an int or a list of int.
I improved the comment for _is_port in commit aed49ee.
@carlos.garcia I can confirm. The _is_port method which writes the port value in the params list always returns an int or a list of int.
I improved the comment for _is_port in commit aed49ee.
Patrick Jattke
In a SYN port scan, it is expected that the attacker sends a SYN request, and the victim responds with a SYN|ACK reply. Currently, the victim is responding with the RST|ACK flags set instead.
The parameters used for the PortscanAttack are as follows:
The following is what is observed in Wireshark in the resulting pcap file:
By default the port 8080 should be scanned and should be marked as open, is this not correct?
The problem lies in file "PortscanAttack.py" in line 127. I see no reason for converting "dport" to a string. In the line
wouldn't it make more sense to drop the "str(dport)" and just have:
@patrick.jattke can you confirm if this fix is not breaking functionality somewhere else?
@carlos.garcia I can confirm. The _is_port method which writes the port value in the params list always returns an int or a list of int.
I improved the comment for _is_port in commit
aed49ee.