[Snort-users] Proper response to scan attempts?

josras at ...582... josras at ...582...
Fri Oct 6 11:18:14 EDT 2000


Good Morning,

This morning on my machines running snort, I had these
entries awaiting me in the alert log:

[**] SCAN-SYN FIN [**]
10/05-23:43:42.617193 somewhereinjapan:21 -> mysystemonthenet:21
TCP TTL:22 TOS:0x0 ID:39426
**SF**** Seq: 0x73986926   Ack: 0x4A53FCF6   Win: 0x404

[**] SCAN-SYN FIN [**]
10/05-23:43:42.691907 somewhereinjapan:21 -> anothermysystemonthenet:21
TCP TTL:22 TOS:0x0 ID:39426
**SF**** Seq: 0x73986926   Ack: 0x4A53FCF6   Win: 0x404

There was also one more listed on another machine as well.

My question is this: Are these indicative of a true port scan attempt?
(not a false positive, just seemed strange the 'scan' would come from
the ftp port to the ftp port and that's it...)
If so, what is the 'proper' way to respond to it? (ie nasty email, return port 
scan, etc.)

Thanks!

==================================================
= Josh Rasey, MCSE, CCNA = Office: 630-868-8010 =
= Systems Administrator= E-mail: josras at ...582...=
= Mulay Plastics       =			 =
==================================================

-------------------------------------------------
This mail sent through IMP: plastic.mulay.com



More information about the Snort-users mailing list