[Snort-users] Proper response to scan attempts?

Joe McAlerney joey at ...155...
Fri Oct 6 13:04:14 EDT 2000


josras at ...582... wrote:
> 
> Good Morning,
> 
> This morning on my machines running snort, I had these
> entries awaiting me in the alert log:
> 
> [**] SCAN-SYN FIN [**]
> 10/05-23:43:42.617193 somewhereinjapan:21 -> mysystemonthenet:21
> TCP TTL:22 TOS:0x0 ID:39426
> **SF**** Seq: 0x73986926   Ack: 0x4A53FCF6   Win: 0x404
> 
> [**] SCAN-SYN FIN [**]
> 10/05-23:43:42.691907 somewhereinjapan:21 -> anothermysystemonthenet:21
> TCP TTL:22 TOS:0x0 ID:39426
> **SF**** Seq: 0x73986926   Ack: 0x4A53FCF6   Win: 0x404
> 
> There was also one more listed on another machine as well.
> 
> My question is this: Are these indicative of a true port scan attempt?

yes, or probes - whatever way you look at it.

> (not a false positive, just seemed strange the 'scan' would come from
> the ftp port to the ftp port and that's it...)

That happens a lot.  You see that with port 53 scans, looking for DNS. 
Sometimes it can get through an improperly configured firewall.

> If so, what is the 'proper' way to respond to it? (ie nasty email, return port
> scan, etc.)

Our organization responds with an informative message with all the
details, telling them that the source host is probably compromised. In
our experience, the responses we get indicate that it was.  Others will
say that it's a futile effort to report scans.  It's really up to you,
or your organization.

-Joe M.



More information about the Snort-users mailing list