[Snort-users] Proper response to scan attempts?

Jan Muenther jan at ...206...
Fri Oct 6 12:30:15 EDT 2000


> [**] SCAN-SYN FIN [**]
> 10/05-23:43:42.691907 somewhereinjapan:21 -> anothermysystemonthenet:21
> TCP TTL:22 TOS:0x0 ID:39426
> **SF**** Seq: 0x73986926   Ack: 0x4A53FCF6   Win: 0x404

As you can see, these packets had two TCP flags set: the SYN and
the FIN flag. While SYN is sent to initiate a transmission (and
awaits an ACK), FIN is there to finish a TCP transmission. 
Therefore, these flags shouldn't naturally show up together in
one packet. Different OS react differently towards such illegal
TCP packet, which is not only used to check whether there's any
service listening at all (portscan) but also for OS
fingerprinting. Read Fyodor's article on the subject in Phrack
(don't recall the number, check out www.insecure.org). 

Still, bogus packets can be caused by hard- and software errors. 
But these two have the same ID and sequence number, so I'd guess
they're forged.

> If so, what is the 'proper' way to respond to it? (ie nasty email, return port
> scan, etc.)

A port scan is no reason to grab the Uzi and get the dogs out.
Someone's knowcking on your door. Unless you have gaping holes,
there's no reason to panic. I only react to portscans when
they're combined with further actions (Netbus and BO attempts
P**S me off, especially when it CLEARLY is a Unix host...
A good standard measure for alerts generally is a whois request,
I think. I want to know who's in charge. If they get more
annoying, tell their provider. 

Just what I usually do.

Cheers, Jan
Radio HUNDERT,6 Medien GmbH Berlin
- EDV -
j.muenther at ...206...

More information about the Snort-users mailing list