[Snort-users] SYNFIN Scan?

Paul Cardon paul at ...26...
Tue Jul 18 10:59:13 EDT 2000


"Mark E. Drummond" wrote:
> 
> What the heck is a SYNFIN scan? I am familiar with SYN scans, FIN scans,
> NULL, Xmas .... but SYNFIN? Is there any particular purpose to this type
> of scan? Is it just single packets with both SYN  & FIN flag set 

It is a single packet with both SYN & FIN flags set.

Some stacks (some Linux versions) will reply with SYN/FIN/ACK on a
listening port while others respond with RST/ACK and all stacks (anybody
have any exceptions?) reply with a RST/ACK on a closed port.  Some older
NIDS and firewalls didn't handle/log these packets properly but it isn't
very stealthy any more.

-paul




More information about the Snort-users mailing list