[Snort-users] Can someone help explain this alert?
Ralf.Hildebrandt at ...821...
Sun Sep 16 05:32:02 EDT 2001
On Sun, Sep 16, 2001 at 12:24:34PM +0100, Peter Borner wrote:
> I'm still new to Intrusion Detection. I'd appreciate any help I can get
> to understand this sequence of alerts.
> #1-1005420| [2001-09-16 04:35:11] 220.127.116.11:21 -> 18.104.22.168:21
> spp_stream4: STEALTH ACTIVITY (SYN FIN scan) detection
22.214.171.124 scanned the 62.49.145.* subnet for FTP servers using a
SYn FIN scan. SOurce port 21 was used to circumvent badly written
The whole scan was logged by the spp_stream4 preprocessor moduloe of
Ralf.Hildebrandt at ...821... innominate AG
+49.(0)30.308806-62 fax: -77 networking people
Reality dictates that if we want to be wizards and get paid outrageous
salaries to do what we might do for free, the users must be given
More information about the Snort-users