[Snort-users] Can someone help explain this alert?

Peter Borner peter at ...3373...
Mon Sep 17 23:59:02 EDT 2001


Thanks for the explanation. Do I assume this is an attempt to hack into
my systems and if so, what action do you recommend I take?



 -----Original Message-----
From: 	Ralf Hildebrandt [mailto:Ralf.Hildebrandt at ...821...] 
Sent:	16 September 2001 13:31
To:	Snort-Users (E-mail)
Subject:	Re: [Snort-users] Can someone help explain this alert?

On Sun, Sep 16, 2001 at 12:24:34PM +0100, Peter Borner wrote:

> I'm still new to Intrusion Detection. I'd appreciate any help I can
> to understand this sequence of alerts.

> #1-1005420| [2001-09-16 04:35:11] ->
> spp_stream4: STEALTH ACTIVITY (SYN FIN scan) detection scanned the 62.49.145.* subnet for FTP servers using a
SYn FIN scan. SOurce port 21 was used to circumvent badly written
packet filters.

The whole scan was logged by the spp_stream4 preprocessor moduloe of

Ralf.Hildebrandt at ...821...                           innominate AG
+49.(0)30.308806-62  fax: -77                         networking people
Reality dictates that if we want to be wizards and get paid outrageous
salaries to do what we might do for free, the users must be given
drool-proof paper.

Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list