[Snort-users] SYN FIN ? (long)

'Preben Randhol' randhol at ...344...
Fri Aug 18 10:29:09 EDT 2000

"Mullen, Patrick" <Patrick.Mullen at ...24...> wrote on 18/08/2000 (16:16) :
> > I got this message from snort: 
> > 
> > snort: SYN FIN Scan: -> W.X.Y.Z:21
> Hm.  Looks like you're using the old ruleset that
> does TCP stealth scan packet detection from the
> ruleset instead of the preprocessor.  Sure, I'm 
> biased, but you should use the preprocessor.  It
> sends less messages to the alerts file as well as
> detect stealth scans that haven't even been invented
> yet through a failsafe algorithm. 

Oh. I haven't change the setup yet. I use the snort that comes with
Debian 2.2 (version 1.5.1). I'll look into it.

That probably also explains why the kernel keeps saying:

kernel: snort uses obsolete (PF_INET,SOCK_PACKET)

> > Does this mean that somebody are trying to access my computers
> > illegally?
> Not exactly, and not necessarily.  The first guess is
> that someone sent out a probe to see if you were
> listening on your FTP server, possibly to later take
> this information to connect to your FTP server (if
> you have one) to see what you have.  The intent of

I have proftpd, but I only run it when I need to ftp some large file
from my computer to another local computer (with a Zip drive). I shut it
down afterwards so it is not left on. 

I have put the IP in the host.deny for now. As I did when I got this
message earlier:

snort: WinGate 1080 Attempt: -> W.X.Y.Z:1080

> Of course, it could also just be that a packet became
> malformed as it went through a flakey router or a
> bit was toggled as it was transmitted through a slow,
> noisy modem line.  It is due to these error conditions
> that a threshold for TCP "stealth" packets is being
> added.

I see thanks.

Now it is time to read the Firewall howto :-)

Preben Randhol - Ph. D student - http://www.pvv.org/~randhol/
"Violence is the last refuge of the incompetent", Isaac Asimov

More information about the Snort-users mailing list