[Snort-users] Proper response to scan attempts?

Jerry Shenk jas at ...129...
Fri Oct 6 12:25:51 EDT 2000


Hey, I got something similar - I don't see any problem with sharing the
attacking address....for me, this was 210.181.230.11.  We may not be looking
at the same guy though 'cuz my source port was 1739253122 and mine was at 4
this AM.

I would say this is definitely a scan...or at least anomalous traffic.
There is no legitimate use for a SYN (start of session) and FIN (finish
session) in the same packet.

Wadaya do about it?  Nothin....unless you're feeling nice, nasty, energetic
or have a need to do some testing.  One thing to remember is that the scan
is probably NOT coming from the person running the scan.  Somebody probably
found an open box, compromised it and is now banging as hard as they can to
find more boxes before they get caught or abandon the box.   The NICE thing
to do would be to figure out whose box it is and contact them to inform
them.....a nastygram probably isn't fair.

Scan back - well, if you want to play games perhaps but if you are on your
company's LAN, you don't want to turn it into a battleground....bad idea!!
Use your home box and then release and renew your IP address when you want
to stop the games.

BTW, this is gonna start a bit philosophical war!!

----- Original Message -----
From: <josras at ...582...>
To: <snort-users at lists.sourceforge.net>
Sent: Friday, October 06, 2000 11:18 AM
Subject: [Snort-users] Proper response to scan attempts?


>
> Good Morning,
>
> This morning on my machines running snort, I had these
> entries awaiting me in the alert log:
>
> [**] SCAN-SYN FIN [**]
> 10/05-23:43:42.617193 somewhereinjapan:21 -> mysystemonthenet:21
> TCP TTL:22 TOS:0x0 ID:39426
> **SF**** Seq: 0x73986926   Ack: 0x4A53FCF6   Win: 0x404
>
> [**] SCAN-SYN FIN [**]
> 10/05-23:43:42.691907 somewhereinjapan:21 -> anothermysystemonthenet:21
> TCP TTL:22 TOS:0x0 ID:39426
> **SF**** Seq: 0x73986926   Ack: 0x4A53FCF6   Win: 0x404
>
> There was also one more listed on another machine as well.
>
> My question is this: Are these indicative of a true port scan attempt?
> (not a false positive, just seemed strange the 'scan' would come from
> the ftp port to the ftp port and that's it...)
> If so, what is the 'proper' way to respond to it? (ie nasty email, return
port
> scan, etc.)
>
> Thanks!
>
> ==================================================
> = Josh Rasey, MCSE, CCNA = Office: 630-868-8010 =
> = Systems Administrator= E-mail: josras at ...582...=
> = Mulay Plastics       = =
> ==================================================
>
> -------------------------------------------------
> This mail sent through IMP: plastic.mulay.com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users




More information about the Snort-users mailing list