Snort mailing list archives
Re: portscan log...
From: John Sage <jsage () finchhaven com>
Date: Thu, 31 Jan 2002 06:42:45 -0800
On Thu, Jan 31, 2002 at 06:45:46AM +0000, Edwin Pua wrote:
Hi Joe, ok thanx for the explanation..but how am i gonna know that he was already connected to my tcp port? or i was being attacked/hacked by this source ip? i'm using the default rules in my snort box.
If all you ever see are SYN packets from that IP, he's never connected. A finished connection is a SYN coming in to you, you sending an ACK/SYN back out to him, and him sending an ACK/SYN back to you. Only *then* is the connection established. May I recommend "TCP/IP Illustrated, vol.1 WR Stevens, Addison-Wesley pubs.. ..read that. It'll make a *lot* of stuff more understandable. - John -- Most people don't type their own logfiles; but, what do I care? _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- portscan log... Edwin Pua (Jan 30)
- Re: portscan log... Joe McAlerney (Jan 30)
- Re: portscan log... Demetri Mouratis (Jan 31)
- <Possible follow-ups>
- Re: portscan log... Edwin Pua (Jan 30)
- Re: portscan log... John Sage (Jan 31)
- Re: portscan log... Joe McAlerney (Jan 31)
- Re: portscan log... Edwin Pua (Feb 01)