[Snort-users] Proper response to scan attempts?

Jim Forster jforster at ...176...
Fri Oct 6 11:50:45 EDT 2000


I got the same scan yesterday - and yes, SYN-FIN is a scan..  <I could prob.
tell you the exact IP that did it too>  :)
They come from port 21 to port 21 as firewalls let that ports traffic pass,
so it's (usually) not detected.
I shot them an email complaining about scanning all of 2 of our Class C's -
no response yet.

Jim Forster
Network Administrator
RapidNet, Inc.
Note:  The opinions expressed here do not necessarily represent those of
people who like sock puppets.

----- Original Message -----
From: <josras at ...582...>
To: <snort-users at lists.sourceforge.net>
Sent: Friday, October 06, 2000 9:18 AM
Subject: [Snort-users] Proper response to scan attempts?


>
> Good Morning,
>
> This morning on my machines running snort, I had these
> entries awaiting me in the alert log:
>
> [**] SCAN-SYN FIN [**]
> 10/05-23:43:42.617193 somewhereinjapan:21 -> mysystemonthenet:21
> TCP TTL:22 TOS:0x0 ID:39426
> **SF**** Seq: 0x73986926   Ack: 0x4A53FCF6   Win: 0x404
>
> [**] SCAN-SYN FIN [**]
> 10/05-23:43:42.691907 somewhereinjapan:21 -> anothermysystemonthenet:21
> TCP TTL:22 TOS:0x0 ID:39426
> **SF**** Seq: 0x73986926   Ack: 0x4A53FCF6   Win: 0x404
>
> There was also one more listed on another machine as well.
>
> My question is this: Are these indicative of a true port scan attempt?
> (not a false positive, just seemed strange the 'scan' would come from
> the ftp port to the ftp port and that's it...)
> If so, what is the 'proper' way to respond to it? (ie nasty email, return
port
> scan, etc.)
>
> Thanks!
>
> ==================================================
> = Josh Rasey, MCSE, CCNA = Office: 630-868-8010 =
> = Systems Administrator= E-mail: josras at ...582...=
> = Mulay Plastics       = =
> ==================================================
>
> -------------------------------------------------
> This mail sent through IMP: plastic.mulay.com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users




More information about the Snort-users mailing list