[Snort-users] Can someone help explain this alert?

Ralf Hildebrandt Ralf.Hildebrandt at ...821...
Sun Sep 16 05:32:02 EDT 2001


On Sun, Sep 16, 2001 at 12:24:34PM +0100, Peter Borner wrote:

> I'm still new to Intrusion Detection. I'd appreciate any help I can get
> to understand this sequence of alerts.


> #1-1005420| [2001-09-16 04:35:11] 210.170.91.52:21 -> 62.49.145.39:21
> spp_stream4: STEALTH ACTIVITY (SYN FIN scan) detection

210.170.91.52 scanned the 62.49.145.* subnet for FTP servers using a
SYn FIN scan. SOurce port 21 was used to circumvent badly written
packet filters.

The whole scan was logged by the spp_stream4 preprocessor moduloe of
snort.


-- 
Ralf.Hildebrandt at ...821...                           innominate AG
+49.(0)30.308806-62  fax: -77                         networking people
Reality dictates that if we want to be wizards and get paid outrageous
salaries to do what we might do for free, the users must be given
drool-proof paper.






More information about the Snort-users mailing list