Snort mailing list archives

Re: portscan log...

From: Demetri Mouratis <dmourati () cm math uiuc edu>
Date: Thu, 31 Jan 2002 08:49:31 -0600 (CST)

The SYN is the type of packet that's being sent, in this case a request to
open a tcp connection.

The *'s indicate that the corresponding bit (FIN,ACK ...) is not set.

In short, this is your standard tcp portscan.
On Thu, 31 Jan 2002, Edwin Pua wrote:

Hi,

      I saw this message under my portscan.log file and I know that this
source ip 137.132.83.218 is scanning my ip 211.156.185.143 but what is
SYN*****S* means?


Jan 29 18:52:34 137.132.83.218:1999 -> 211.156.185.143:3372 SYN ******S*
Jan 29 18:52:34 137.132.83.218:2000 -> 211.156.185.143:3373 SYN ******S*
Jan 29 18:52:35 137.132.83.218:2003 -> 211.156.185.143:3376 SYN ******S*
Jan 29 18:52:36 137.132.83.218:2004 -> 211.166.185.143:3377 SYN ******S*
Jan 29 18:52:36 137.132.83.218:2005 -> 211.166.185.143:3378 SYN ******S*
Jan 29 18:52:37 137.132.83.218:2006 -> 211.166.185.143:3379 SYN ******S*
Jan 29 18:52:37 137.132.83.218:2007 -> 211.166.185.143:3380 SYN ******S*
Jan 29 18:52:38 137.132.83.218:2008 -> 211.166.185.143:3381 SYN ******S*
Jan 29 18:52:38 137.132.83.218:2010 -> 211.166.185.143:3383 SYN ******S*
Jan 29 18:52:39 137.132.83.218:2011 -> 211.166.185.143:3384 SYN ******S*
Jan 29 18:52:39 137.132.83.218:2012 -> 211.166.185.143:3385 SYN ******S*
Jan 29 18:52:40 137.132.83.218:2014 -> 211.166.185.143:3387 SYN ******S*

rgds,
edwin

_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


---------------------------------------------------------------------
Demetri Mouratis
dmourati () linfactory com


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

portscan log... Edwin Pua (Jan 30)
- Re: portscan log... Joe McAlerney (Jan 30)
- Re: portscan log... Demetri Mouratis (Jan 31)
- <Possible follow-ups>
- Re: portscan log... Edwin Pua (Jan 30)
  - Re: portscan log... John Sage (Jan 31)
  - Re: portscan log... Joe McAlerney (Jan 31)
- Re: portscan log... Edwin Pua (Feb 01)