On 7/27/05, Brent Clark <bclark@xxxxxxxxxxxxxxxxxxxx> wrote: > I got tips for nmap blocking from someone on this list. I think I'm that someone. This looks like my post in the "Defeating NMAP Null scans (and Nessus scans)" thread. > Im trying to log the problems that logged. > Would anyone care to recheck my rulset, just to make to I got this right. You might consider more informative prefixes than just "PREROUTING: ". It's fine if some automated parser is going through and will determine scan type by the options logged, but a human reading the log might be helped by an indicator like "PREROUTING NULLscan: " or something of the sort. > P.s. If anyone knows of any other rules I can add, it would be > greatfully be appreciated. My original post did include a NULL scan rule, but not the ACK scan that Jörg mentioned.
