I've seen the src port 21 -> dst port 21 with SYN/FIN bits set come from
pscan, a little scanner that's wrapped up with some recent worm packages.
I'm sure there are other ways to generate this, but if FTP is open on your
box it may be a host that's been hit by the lion worm or similar trying to
propogate.

Just a thought.

Aaron

On Wed, 6 Jun 2001, skop d'skop wrote:

;hi all,
;wonder what this pattern is all about - taken from snort_portscan.log
;
;May 30 04:38:52 a.b.c.d:21 -> w.x.y.z:21 SYNFIN ******SF
;May 30 04:38:53 a.b.c.d:19689 -> w.x.y.z:21 SYN ******S*
;
;May 30 04:38:52 a.b.c.d:21 -> w.x.y.z:21 SYNFIN ******SF
;May 30 04:38:52 a.b.c.d:19687 -> w.x.y.z:21 SYN ******S*
;

_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]