[Snort-users] portscan log...

John Sage jsage at ...2022...
Thu Jan 31 06:43:12 EST 2002

On Thu, Jan 31, 2002 at 06:45:46AM +0000, Edwin Pua wrote:
> Hi Joe,
> ok thanx for the explanation..but how am i gonna know that he was already 
> connected to my tcp port? or i was being attacked/hacked by this source ip? 
> i'm using the default rules in my snort box.

If all you ever see are SYN packets from that IP, he's never connected.

A finished connection is a SYN coming in to you, you sending an ACK/SYN back out to him, and him sending an ACK/SYN back to you.

Only *then* is the connection established.

May I recommend "TCP/IP Illustrated, vol.1 WR Stevens, Addison-Wesley pubs..

..read that. It'll make a *lot* of stuff more understandable.

- John

Most people don't type their own logfiles;  but, what do I care?

More information about the Snort-users mailing list