FIN scans and Apple airport

[Paul Schmehl <pauls () utdallas edu>]

We are seeing what I would describe as a massive amount of FIN scans
(over 100,000 over a 48 hour period) that with one minor exception are
coming from Apple computers with Airport wireless cards.

We have 186 registered Airport cards on our network and these scans are
only coming from a handful of them (approximately five cards.)

There are two alerts that are being tripped:
(spp_stream4) STEALTH ACTIVITY (FIN scan) detection
sid: 621 SCAN FIN

Is anyone else seeing this on their network?

The one exception was a Linksys wireless card (don't know the OS yet)
that spit out 11 alerts over a two day period.)  All the rest appear to
be Airport cards (the oui is assigned to Apple.)

-- 
Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/~pauls/
AVIEN Founding Member



-------------------------------------------------------
This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There!
NetWorld+Interop Las Vegas 2003 -- Register today!
http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users