[Snort-users] SYNFIN Scan?

Mullen, Patrick Patrick.Mullen at ...24...
Tue Jul 18 10:41:55 EDT 2000


> What the heck is a SYNFIN scan?

SYNFIN scans got their name because there are both the
SYN and FIN flags set.  They are effective for "stealth"
(sheah, right! ;) TCP scans.  

All portscan activity is caused by a single packet
(well, TCP SYN and UDP scans are caused by a collection
of single packets) because SPP does not do traffic analysis.
There isn't a need to watch a lot of traffic, though an
idea that was presented to me that was very interesting
was to watch for reset packets and flag on a lower
threshold for failed connection attempts.  But that's
another story, and well down the road.  


~Patrick




More information about the Snort-users mailing list