# this library is for hostile scans and protocol pokes

# look for stealth port scans/sweeps
alert tcp any any -> $HOME_NET any (msg:"SYN FIN Scan"; flags: SF;)
alert tcp any any -> $HOME_NET any (msg:"FIN Scan"; flags: F;)
alert tcp any any -> $HOME_NET any (msg:"NULL Scan"; flags: 0;)
alert tcp any any -> $HOME_NET any (msg:"XMAS Scan"; flags: FPU;)
alert tcp any any -> $HOME_NET any (msg:"Full XMAS Scan"; flags: SRAFPU;)
alert tcp any any -> $HOME_NET any (flags: A; ack: 0; msg:"NMAP TCP ping!";)

# detect fingerprinting attempts
alert tcp any any -> $HOME_NET any (msg:"Possible NMAP Fingerprint attempt"; flags: SFPU;)
alert tcp any any -> $HOME_NET any (msg:"Possible Queso Fingerprint attempt"; flags: S12;)

# Windows Traceroutes
alert icmp any any -> $HOME_NET any (msg:"Windows Traceroute"; TTL: 1; itype: 8;)

# Standard Traceroutes
alert udp any any -> $HOME_NET any (msg:"Traceroute"; TTL: 1;)

# Watch for WinGate Scans
alert tcp any any -> $HOME_NET 1080 (msg:"WinGate 1080 Attempt"; flags: S;)
alert tcp any any -> $HOME_NET 8080 (msg:"WinGate 8080 Attempt"; flags: S;)
