erickson at ...239...
Thu Nov 30 11:05:27 EST 2000
I am also seeing many of the same scans, especially using FTP port 21 as
both source and destination.
Thank for the signature Jan, I will include it with my sigs today.
----- Original Message -----
From: "Jan Muenther" <jan at ...206...>
To: <snort-users at lists.sourceforge.net>
Sent: Thursday, November 30, 2000 4:01 AM
Subject: [Snort-users] synscan
> Hello fellow snorters,
> quite a few of us have noticed a couple of scans recently which
> looked like these:
> [**] SCAN-SYN FIN [**]
> 11/30-10:33:11.836106 10.200.1.100:35 -> 10.1.1.38:35
> TCP TTL:42 TOS:0x0 ID:39426
> **SF**** Seq: 0x66BE9571 Ack: 0x385E824F Win: 0x404
> There has been a bit of fuss about what tool causes this,
> including calling it "mystery scan tool No. 11"... I have
> positively verified someone else's statement that these
> signatures are caused by psychoid's synscan...
> If anybody's interested, a rule like this one will match the
> scans, so you can identify the tool:
> !$HOME_NET any -> $HOME_NET any (msg:"synscan portscan"; flags:
> SF; id:"39426")
> Another clear trace of a synscan packet is the static window size
> of 404 hex... But I found no way of specifying that in a snort
> rule ;o))
> These number of these scans appear to be increasing rapidly...
> and there are clear signs of HEAVY skript kiddie usage, despite
> psychoid stating synscan is "private, do not publish"...
> If you know all this - or aren't interested - just ignore me and
> get back to your coffee and xgalaga ;o))
> Bye, Jan
> Radio HUNDERT,6 Medien GmbH Berlin
> - EDV -
> j.muenther at ...206...
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
More information about the Snort-users