[Snort-users] SYNFIN Scan?

Ofir Arkin ofir at ...64...
Wed Jul 19 05:06:28 EDT 2000


SYN+FIN scan mean you receive a TCP packet with both SYN and FIN flags set.
This is an illegal packet (Both initiating and closing, if you wish to put
it like that...).

The result back from a probed machine can vary between one operating system
to another.

For example: SYN + FIN sent to an open or closed LINUX (Kernel 2.2.x) would
elicit a RESET+ACK back.
                    SYN + FIN sent to an open or closed Windows NT
Workstation 4 SP 6a would elicit SYN+ACK back.

Those replies would reveal the existence of those machines allowing a
malicious computer attacker to map your network.

Ofir Arkin
Senior Security Analyst


-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Mark E.
Sent: Tuesday, July 18, 2000 3:20 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] SYNFIN Scan?

What the heck is a SYNFIN scan? I am familiar with SYN scans, FIN scans,
NULL, Xmas .... but SYNFIN? Is there any particular purpose to this type
of scan? Is it just single packets with both SYN  & FIN flag set or is
it sending aSYN packet followed by a FIN? I recently had someone using
SYNFIN's against my net (or at least snort reported SYNFIN's) while
looking for vulnerable wuftpd's.

Mark Drummond|ICQ#19153754|mailto:mark.drummond at ...23...
UNIX System Administrator|Royal Military College of Canada
The Kingston Linux Users Group|http://signals.rmc.ca/klug/
Saving the World ... One CPU at a Time

Please excuse me if I am terse. I answer dozens of emails every day.

Snort-users mailing list
Snort-users at lists.sourceforge.net

More information about the Snort-users mailing list