syn/fin and src port

["skop d'skop" <skop () visto com>]

hi all,
wonder what this pattern is all about - taken from snort_portscan.log

May 30 04:38:52 a.b.c.d:21 -> w.x.y.z:21 SYNFIN ******SF
May 30 04:38:53 a.b.c.d:19689 -> w.x.y.z:21 SYN ******S*

May 30 04:38:52 a.b.c.d:21 -> w.x.y.z:21 SYNFIN ******SF
May 30 04:38:52 a.b.c.d:19687 -> w.x.y.z:21 SYN ******S*

1. it try to connect to w.x.y.z with synfin flag - maybe to avoid detection -but it detected by ids ?
2. its source port is 21 (<1024) which require root service  - but how would u do scanning from port < 1024. i have 
tried with hping and nmap - doesn't work :(
3. second line then only it send syn flag - to start connection. 

so the purpose for sending synfin is to see weather the port is alive or not - is it ?

thanks
-i'm just a beginner-
-skop

___________________________________________________________________________
Visit http://www.visto.com/info, your free web-based communications center.
Visto.com. Life on the Dot.


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users