[Snort-users] SYNFIN Scan?
Patrick.Mullen at ...24...
Tue Jul 18 10:41:55 EDT 2000
> What the heck is a SYNFIN scan?
SYNFIN scans got their name because there are both the
SYN and FIN flags set. They are effective for "stealth"
(sheah, right! ;) TCP scans.
All portscan activity is caused by a single packet
(well, TCP SYN and UDP scans are caused by a collection
of single packets) because SPP does not do traffic analysis.
There isn't a need to watch a lot of traffic, though an
idea that was presented to me that was very interesting
was to watch for reset packets and flag on a lower
threshold for failed connection attempts. But that's
another story, and well down the road.
More information about the Snort-users