[Snort-users] "portscans" that only hit one host, one time?

Vinay A. Mahadik VAMahadik at ...6245...
Fri Aug 9 10:57:06 EDT 2002


Yes, that's a sNOACK scan (it hasn't got a ACK flag set, and is not a
series of other normal/scan types). Check the function 'CheckTCPFlags()'
towards its end in spp_portscan.c. The flag combination is definitely
weird and qualifies as a 'stealth' scan (stealth scans are not rate
based, but per packet).

Thanks,
Vinay

"McCammon, Keith" wrote:
> 
> [WARNING: Slightly off-topic]
> 
> > Aug  9 11:48:39 204.210.241.146:2051 -> xxx.yyy.zzz.66:443
> > NOACK *2U*PRS*
> 
> I don't know much about spp_portscan internals, so I'm not sure why this was logged.  However, I'd sure as hell qualify this as a portscan.  This packet is definitely crafted to bypass a filter or elicit a response for fingerprinting or the like.
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Vinay A. Mahadik
Summer Intern
Computer Protection Program
Lawrence Berkeley National Laboratory
(510) 495 2618




More information about the Snort-users mailing list