[Snort-users] portscan log...
jsage at ...2022...
Thu Jan 31 06:43:12 EST 2002
On Thu, Jan 31, 2002 at 06:45:46AM +0000, Edwin Pua wrote:
> Hi Joe,
> ok thanx for the explanation..but how am i gonna know that he was already
> connected to my tcp port? or i was being attacked/hacked by this source ip?
> i'm using the default rules in my snort box.
If all you ever see are SYN packets from that IP, he's never connected.
A finished connection is a SYN coming in to you, you sending an ACK/SYN back out to him, and him sending an ACK/SYN back to you.
Only *then* is the connection established.
May I recommend "TCP/IP Illustrated, vol.1 WR Stevens, Addison-Wesley pubs..
..read that. It'll make a *lot* of stuff more understandable.
Most people don't type their own logfiles; but, what do I care?
More information about the Snort-users