[Snort-users] synscan

Brent Erickson erickson at ...239...
Thu Nov 30 11:05:27 EST 2000


I am also seeing many of the same scans, especially using FTP port 21 as
both source and destination.

Thank for the signature Jan, I will include it with my sigs today.

Brent Erickson

----- Original Message -----
From: "Jan Muenther" <jan at ...206...>
To: <snort-users at lists.sourceforge.net>
Sent: Thursday, November 30, 2000 4:01 AM
Subject: [Snort-users] synscan


> Hello fellow snorters,
>
> quite a few of us have noticed a couple of scans recently which
> looked like these:
>
> [**] SCAN-SYN FIN [**]
> 11/30-10:33:11.836106 10.200.1.100:35 -> 10.1.1.38:35
> TCP TTL:42 TOS:0x0 ID:39426
> **SF**** Seq: 0x66BE9571   Ack: 0x385E824F   Win: 0x404
>
> There has been a bit of fuss about what tool causes this,
> including calling it "mystery scan tool No. 11"... I have
> positively verified someone else's statement that these
> signatures are caused by psychoid's synscan...
> If anybody's interested, a rule like this one will match the
> scans, so you can identify the tool:
>
> !$HOME_NET any -> $HOME_NET any (msg:"synscan portscan"; flags:
> SF; id:"39426")
>
> Another clear trace of a synscan packet is the static window size
> of 404 hex... But I found no way of specifying that in a snort
> rule ;o))
> These number of these scans appear to be increasing rapidly...
> and there are clear signs of HEAVY skript kiddie usage, despite
> psychoid stating synscan is "private, do not publish"...
>
> If you know all this - or aren't interested - just ignore me and
> get back to your coffee and xgalaga ;o))
>
> Bye, Jan
> --
> Radio HUNDERT,6 Medien GmbH Berlin
> - EDV -
> j.muenther at ...206...
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users
>




More information about the Snort-users mailing list