[Snort-users] RE: fin-no-ack scans

Fred Portnoy fportnoy at ...1527...
Fri Apr 2 11:09:07 EST 2004


Upon closer inspection I can make some observations: hosts which are doing
P2P communication send and  re-send SYNs to a station that does not reply,
and then instead of just giving up, they end with a FIN. I don't know the
purpose of that FIN, since no session had been established; it may be for
additional reconnaissance, or not. That FIN, because no actual session was
ever established, lacks an ACK flag. Sessions which are established normally
with a SYN-SYN/ACK-ACK sequence would be ended with a FIN/ACK. So, the FIN
flag without an accompanying ACK flag triggers the Snort SCAN FIN rule (621)
and the firewall rule which blocks such FIN-only flags. According to the
references at http://www.snort.org/snort-db/sid.html?sid=621 and at
http://www.whitehats.com/info/ids27, stateless FIN packets are used for
reconnaissance, which is the reason for blocking them.
thanks

-fp


-----Original Message-----
From: owner-packeteer-edu at ...11554...
[mailto:owner-packeteer-edu at ...11554...] On Behalf Of Fred Portnoy
Sent: Wednesday, March 31, 2004 5:48 PM
To: unisog at ...695...; packeteer-edu at ...11554...
Subject: fin-no-ack scans


Friends:

My Packeteer was bogging down again today and I found from my firewall logs
that I had a host spewing out tcp packets to port 6346 with FIN flag but no
accompanying ACK flag. I had thought that correct TCP protocol would not do
that. Anyone familiar with this? Is it a virus/worm symptom, or is it a way
of some P2P application to search for partners?

thanks

Fred Portnoy
Plymouth State University
Plymouth, New Hampshire

-++**==--++**==--++**==--++**==--++**==--++**==--++**==--++**==--++**
This message was posted through the Stanford mailing list server. To
subscribe/unsubscribe, send email to majordomo at ...11555... with
"subscribe packeteer-edu" or "unsubscribe packeteer-edu" as the body.
Archive is at http://www.stanford.edu/group/networking/netlists/

___________________________________________________
You are subscribed to the ResNet-L mailing list.

To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________


-++**==--++**==--++**==--++**==--++**==--++**==--++**==--++**==--++**
This message was posted through the Stanford mailing list server. To
subscribe/unsubscribe, send email to majordomo at ...11555... with
"subscribe packeteer-edu" or "unsubscribe packeteer-edu" as the body.
Archive is at http://www.stanford.edu/group/networking/netlists/





More information about the Snort-users mailing list