[Snort-users] /var/log/snort/portscan meaning?

Ralf Hildebrandt Ralf.Hildebrandt at ...22...
Fri Jul 21 03:11:52 EDT 2000


On Don, Jul 20, 2000 at 02:03:06 -0400, Mark E. Drummond wrote:
> Can someone decipher some of these? I am no entirely sure what the last
> component of each line indicates. I thought it was TCP flags (SYN, FIN
> etc) but if that is true then what order are they in? Certainly not the
> same order as declared in RFC793 which would be UAPRSF.

These are the flags.
 
> Jul 18 14:20:48 x.x.x.x:1102 -> x.x.x.x:143 NOACK ***FR*** 
> Jul 18 14:30:45 x.x.x.x:1109 -> x.x.x.x:25 VECNA *******U 
> Jul 19 13:39:08 x.x.x.x:1154 -> x.x.x.x:143 NOACK 21*FR**U RESERVEDBITS
                                                    ^^
						    reserved bits
						    
> Jul 19 14:54:07 x.x.x.x:1173 -> x.x.x.x:25 NOACK **SF*P** 
> Jul 20 09:34:13 x.x.x.x:1211 -> x.x.x.x:25 NOACK **SFRP** 
> Jul 20 09:34:32 x.x.x.x:1211 -> x.x.x.x:25 NOACK **SFRP** 
> 
> The source is apparently an NT4 box (according to nmap -O).

syn fin rst psh ack urg

-- 
Ralf.Hildebrandt at ...22...
Dipl.-Informatiker                                        innominate AG
System Engineer                                       networking people
tel: +49.30.308806-62 fax: -77  web: http://innominate.de  pgp: /pgp/rh
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 351 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20000721/6ae2df16/attachment.sig>


More information about the Snort-users mailing list