[Snort-users] synscan

Jan Muenther jan at ...206...
Thu Nov 30 07:01:24 EST 2000


Hello fellow snorters,

quite a few of us have noticed a couple of scans recently which
looked like these:

[**] SCAN-SYN FIN [**]
11/30-10:33:11.836106 10.200.1.100:35 -> 10.1.1.38:35
TCP TTL:42 TOS:0x0 ID:39426 
**SF**** Seq: 0x66BE9571   Ack: 0x385E824F   Win: 0x404

There has been a bit of fuss about what tool causes this,
including calling it "mystery scan tool No. 11"... I have
positively verified someone else's statement that these
signatures are caused by psychoid's synscan... 
If anybody's interested, a rule like this one will match the
scans, so you can identify the tool:

!$HOME_NET any -> $HOME_NET any (msg:"synscan portscan"; flags:
SF; id:"39426")

Another clear trace of a synscan packet is the static window size
of 404 hex... But I found no way of specifying that in a snort
rule ;o))
These number of these scans appear to be increasing rapidly...
and there are clear signs of HEAVY skript kiddie usage, despite
psychoid stating synscan is "private, do not publish"...

If you know all this - or aren't interested - just ignore me and
get back to your coffee and xgalaga ;o))

Bye, Jan
-- 
Radio HUNDERT,6 Medien GmbH Berlin
- EDV -
j.muenther at ...206...



More information about the Snort-users mailing list