Snort mailing list archives
FIN scans and Apple airport
From: Paul Schmehl <pauls () utdallas edu>
Date: 26 Mar 2003 16:53:27 -0600
We are seeing what I would describe as a massive amount of FIN scans (over 100,000 over a 48 hour period) that with one minor exception are coming from Apple computers with Airport wireless cards. We have 186 registered Airport cards on our network and these scans are only coming from a handful of them (approximately five cards.) There are two alerts that are being tripped: (spp_stream4) STEALTH ACTIVITY (FIN scan) detection sid: 621 SCAN FIN Is anyone else seeing this on their network? The one exception was a Linksys wireless card (don't know the OS yet) that spit out 11 alerts over a two day period.) All the rest appear to be Airport cards (the oui is assigned to Apple.) -- Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/~pauls/ AVIEN Founding Member ------------------------------------------------------- This SF.net email is sponsored by: The Definitive IT and Networking Event. Be There! NetWorld+Interop Las Vegas 2003 -- Register today! http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- FIN scans and Apple airport Paul Schmehl (Mar 26)