[Snort-users] Proper response to scan attempts?

Christopher Cramer cec at ...68...
Fri Oct 6 13:15:01 EDT 2000


This looks like a scan to me.  Port 21 shouldn't be contacting port 21 on
another machine.  This may be an attempt to hide the scan in case you were
setup to ignore port scans from port 20 and 21.

Joust my $0.02 

-Chris


On Fri, 6 Oct 2000 josras at ...582... wrote:

> 
> Good Morning,
> 
> This morning on my machines running snort, I had these
> entries awaiting me in the alert log:
> 
> [**] SCAN-SYN FIN [**]
> 10/05-23:43:42.617193 somewhereinjapan:21 -> mysystemonthenet:21
> TCP TTL:22 TOS:0x0 ID:39426
> **SF**** Seq: 0x73986926   Ack: 0x4A53FCF6   Win: 0x404
> 
> [**] SCAN-SYN FIN [**]
> 10/05-23:43:42.691907 somewhereinjapan:21 -> anothermysystemonthenet:21
> TCP TTL:22 TOS:0x0 ID:39426
> **SF**** Seq: 0x73986926   Ack: 0x4A53FCF6   Win: 0x404
> 
> There was also one more listed on another machine as well.
> 
> My question is this: Are these indicative of a true port scan attempt?
> (not a false positive, just seemed strange the 'scan' would come from
> the ftp port to the ftp port and that's it...)
> If so, what is the 'proper' way to respond to it? (ie nasty email, return port 
> scan, etc.)
> 
> Thanks!
> 
> ==================================================
> = Josh Rasey, MCSE, CCNA = Office: 630-868-8010 =
> = Systems Administrator= E-mail: josras at ...582...=
> = Mulay Plastics       =			 =
> ==================================================
> 
> -------------------------------------------------
> This mail sent through IMP: plastic.mulay.com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users
> 




More information about the Snort-users mailing list