|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: RE: [snort] Syn and Fin in different packets together
From: Mullen, Patrick (Patrick.Mullen
GD-CS.COM)Date: Tue Mar 21 2000 - 16:22:19 CST
- Next message: Bill Marquette: "[snort] Snort 1.6 core dump on Solaris 2.6 w/ -a option"
- Previous message: Stuart Staniford-Chen: "[snort] Syn and Fin in different packets together"
- Maybe in reply to: Stuart Staniford-Chen: "[snort] Syn and Fin in different packets together"
- Maybe reply: Mullen, Patrick: "RE: [snort] Syn and Fin in different packets together"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> Anyone know what can cause traffic like this? (This is a mixture of
> portscan and -A full alerts.) X and Y are fixed IPs. We had
> a similar
> traffic pattern from the same source (X) a few days ago.
>
> Mar 20 18:17:24 X:1669 -> Y:80 FIN ***F****
> Mar 20 18:17:24 X:1669 -> Y:80 SYN **S*****
> [**] IDS027 - SCAN-FIN [**]
> 03/20-18:17:24.259062 X:1669 -> Y:80
> TCP TTL:116 TOS:0x0 ID:44867 DF
> ***F**** Seq: 0xB3FA71 Ack: 0x0 Win: 0x0
Somebody's testing out their new (broken) portscanner
on you...? Weird stuff, especially this one where the
FIN came before the SYN. In normal traffic the FIN would
come last, and it would have an appropriate ACK.
I actually wouldn't be surprised if someone was testing out
what a FIN scan should look like. I've done the same, but I
wisely did it against machines I was allowed to do it to. :)
~Patrick
- Next message: Bill Marquette: "[snort] Snort 1.6 core dump on Solaris 2.6 w/ -a option"
- Previous message: Stuart Staniford-Chen: "[snort] Syn and Fin in different packets together"
- Maybe in reply to: Stuart Staniford-Chen: "[snort] Syn and Fin in different packets together"
- Maybe reply: Mullen, Patrick: "RE: [snort] Syn and Fin in different packets together"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]