[Snort-users] syn/fin and src port

Aaron lilnick at ...1303...
Wed Jun 6 23:46:54 EDT 2001


I've seen the src port 21 -> dst port 21 with SYN/FIN bits set come from
pscan, a little scanner that's wrapped up with some recent worm packages.
I'm sure there are other ways to generate this, but if FTP is open on your
box it may be a host that's been hit by the lion worm or similar trying to
propogate.

Just a thought.

Aaron

On Wed, 6 Jun 2001, skop d'skop wrote:

;hi all,
;wonder what this pattern is all about - taken from snort_portscan.log
;
;May 30 04:38:52 a.b.c.d:21 -> w.x.y.z:21 SYNFIN ******SF
;May 30 04:38:53 a.b.c.d:19689 -> w.x.y.z:21 SYN ******S*
;
;May 30 04:38:52 a.b.c.d:21 -> w.x.y.z:21 SYNFIN ******SF
;May 30 04:38:52 a.b.c.d:19687 -> w.x.y.z:21 SYN ******S*
;





More information about the Snort-users mailing list