[Snort-users] SYN FIN ? (long)
randhol at ...344...
Fri Aug 18 10:29:09 EDT 2000
"Mullen, Patrick" <Patrick.Mullen at ...24...> wrote on 18/08/2000 (16:16) :
> > I got this message from snort:
> > snort: SYN FIN Scan: 126.96.36.199:21 -> W.X.Y.Z:21
> Hm. Looks like you're using the old ruleset that
> does TCP stealth scan packet detection from the
> ruleset instead of the preprocessor. Sure, I'm
> biased, but you should use the preprocessor. It
> sends less messages to the alerts file as well as
> detect stealth scans that haven't even been invented
> yet through a failsafe algorithm.
Oh. I haven't change the setup yet. I use the snort that comes with
Debian 2.2 (version 1.5.1). I'll look into it.
That probably also explains why the kernel keeps saying:
kernel: snort uses obsolete (PF_INET,SOCK_PACKET)
> > Does this mean that somebody are trying to access my computers
> > illegally?
> Not exactly, and not necessarily. The first guess is
> that someone sent out a probe to see if you were
> listening on your FTP server, possibly to later take
> this information to connect to your FTP server (if
> you have one) to see what you have. The intent of
I have proftpd, but I only run it when I need to ftp some large file
from my computer to another local computer (with a Zip drive). I shut it
down afterwards so it is not left on.
I have put the IP in the host.deny for now. As I did when I got this
snort: WinGate 1080 Attempt: 188.8.131.52:42383 -> W.X.Y.Z:1080
> Of course, it could also just be that a packet became
> malformed as it went through a flakey router or a
> bit was toggled as it was transmitted through a slow,
> noisy modem line. It is due to these error conditions
> that a threshold for TCP "stealth" packets is being
I see thanks.
Now it is time to read the Firewall howto :-)
Preben Randhol - Ph. D student - http://www.pvv.org/~randhol/
"Violence is the last refuge of the incompetent", Isaac Asimov
More information about the Snort-users