[Snort-users] /var/log/snort/portscan meaning?

Mark E. Drummond drummond-m at ...23...
Thu Jul 20 14:03:06 EDT 2000


Can someone decipher some of these? I am no entirely sure what the last
component of each line indicates. I thought it was TCP flags (SYN, FIN
etc) but if that is true then what order are they in? Certainly not the
same order as declared in RFC793 which would be UAPRSF.

Jul 18 14:20:48 x.x.x.x:1102 -> x.x.x.x:143 NOACK ***FR*** 
Jul 18 14:30:45 x.x.x.x:1109 -> x.x.x.x:25 VECNA *******U 
Jul 19 13:39:08 x.x.x.x:1154 -> x.x.x.x:143 NOACK 21*FR**U RESERVEDBITS
Jul 19 14:54:07 x.x.x.x:1173 -> x.x.x.x:25 NOACK **SF*P** 
Jul 20 09:34:13 x.x.x.x:1211 -> x.x.x.x:25 NOACK **SFRP** 
Jul 20 09:34:32 x.x.x.x:1211 -> x.x.x.x:25 NOACK **SFRP** 

The source is apparently an NT4 box (according to nmap -O).

-- 
Mark Drummond|ICQ#19153754|mailto:mark.drummond at ...23...
UNIX System Administrator|Royal Military College of Canada
The Kingston Linux Users Group|http://signals.rmc.ca/klug/
Saving the World ... One CPU at a Time

Please excuse me if I am terse. I answer dozens of emails every day.




More information about the Snort-users mailing list