[Snort-users] SYN FIN ? (long)

Mullen, Patrick Patrick.Mullen at ...24...
Fri Aug 18 10:17:03 EDT 2000


> Sorry for my ignorance, I have just started using snort.

Don't worry.  I'm ignorant, and I wrote the portscan
preprocessor.  :)

> I got this message from snort: 
> 
> snort: SYN FIN Scan: 212.208.0.220:21 -> W.X.Y.Z:21

Hm.  Looks like you're using the old ruleset that
does TCP stealth scan packet detection from the
ruleset instead of the preprocessor.  Sure, I'm 
biased, but you should use the preprocessor.  It
sends less messages to the alerts file as well as
detect stealth scans that haven't even been invented
yet through a failsafe algorithm. 

> Does this mean that somebody are trying to access my computers
> illegally?

Not exactly, and not necessarily.  The first guess is
that someone sent out a probe to see if you were
listening on your FTP server, possibly to later take
this information to connect to your FTP server (if
you have one) to see what you have.  The intent of
this action could be as benign as to see what you
have available through anonymous FTP, as not so
benign as to find out if you allow anonymous writes
(and subsequent reads) so you can be used as a
warez site, or as malignant as to find out if you
can be used for "FTP bounce scans" or even try to
gain access to your machine.

Of course, it could also just be that a packet became
malformed as it went through a flakey router or a
bit was toggled as it was transmitted through a slow,
noisy modem line.  It is due to these error conditions
that a threshold for TCP "stealth" packets is being
added.


~Patrick




More information about the Snort-users mailing list