[Snort-users] syn/fin and src port

skop d'skop skop at ...2175...
Wed Jun 6 22:08:13 EDT 2001

hi all,
wonder what this pattern is all about - taken from snort_portscan.log

May 30 04:38:52 a.b.c.d:21 -> w.x.y.z:21 SYNFIN ******SF
May 30 04:38:53 a.b.c.d:19689 -> w.x.y.z:21 SYN ******S*

May 30 04:38:52 a.b.c.d:21 -> w.x.y.z:21 SYNFIN ******SF
May 30 04:38:52 a.b.c.d:19687 -> w.x.y.z:21 SYN ******S*

1. it try to connect to w.x.y.z with synfin flag - maybe to avoid detection -but it detected by ids ?
2. its source port is 21 (<1024) which require root service  - but how would u do scanning from port < 1024. i have tried with hping and nmap - doesn't work :(
3. second line then only it send syn flag - to start connection. 

so the purpose for sending synfin is to see weather the port is alive or not - is it ?

-i'm just a beginner-

Visit http://www.visto.com/info, your free web-based communications center.
Visto.com. Life on the Dot.

More information about the Snort-users mailing list