|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: skop d'skop (skop
visto.com)Date: Wed Jun 06 2001 - 21:08:13 CDT
hi all,
wonder what this pattern is all about - taken from snort_portscan.log
May 30 04:38:52 a.b.c.d:21 -> w.x.y.z:21 SYNFIN ******SF
May 30 04:38:53 a.b.c.d:19689 -> w.x.y.z:21 SYN ******S*
May 30 04:38:52 a.b.c.d:21 -> w.x.y.z:21 SYNFIN ******SF
May 30 04:38:52 a.b.c.d:19687 -> w.x.y.z:21 SYN ******S*
1. it try to connect to w.x.y.z with synfin flag - maybe to avoid detection -but it detected by ids ?
2. its source port is 21 (<1024) which require root service - but how would u do scanning from port < 1024. i have tried with hping and nmap - doesn't work :(
3. second line then only it send syn flag - to start connection.
so the purpose for sending synfin is to see weather the port is alive or not - is it ?
thanks
-i'm just a beginner-
-skop
___________________________________________________________________________
Visit http://www.visto.com/info, your free web-based communications center.
Visto.com. Life on the Dot.
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]