[Snort-users] Can someone help explain this alert?
peter at ...3373...
Mon Sep 17 23:59:02 EDT 2001
Thanks for the explanation. Do I assume this is an attempt to hack into
my systems and if so, what action do you recommend I take?
From: Ralf Hildebrandt [mailto:Ralf.Hildebrandt at ...821...]
Sent: 16 September 2001 13:31
To: Snort-Users (E-mail)
Subject: Re: [Snort-users] Can someone help explain this alert?
On Sun, Sep 16, 2001 at 12:24:34PM +0100, Peter Borner wrote:
> I'm still new to Intrusion Detection. I'd appreciate any help I can
> to understand this sequence of alerts.
> #1-1005420| [2001-09-16 04:35:11] 126.96.36.199:21 -> 188.8.131.52:21
> spp_stream4: STEALTH ACTIVITY (SYN FIN scan) detection
184.108.40.206 scanned the 62.49.145.* subnet for FTP servers using a
SYn FIN scan. SOurce port 21 was used to circumvent badly written
The whole scan was logged by the spp_stream4 preprocessor moduloe of
Ralf.Hildebrandt at ...821... innominate AG
+49.(0)30.308806-62 fax: -77 networking people
Reality dictates that if we want to be wizards and get paid outrageous
salaries to do what we might do for free, the users must be given
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
More information about the Snort-users