Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: fin-no-ack scans

From: "Fred Portnoy" <fportnoy () mail plymouth edu>
Date: Fri, 2 Apr 2004 14:07:04 -0500
Upon closer inspection I can make some observations: hosts which are doing
P2P communication send and  re-send SYNs to a station that does not reply,
and then instead of just giving up, they end with a FIN. I don't know the
purpose of that FIN, since no session had been established; it may be for
additional reconnaissance, or not. That FIN, because no actual session was
ever established, lacks an ACK flag. Sessions which are established normally
with a SYN-SYN/ACK-ACK sequence would be ended with a FIN/ACK. So, the FIN
flag without an accompanying ACK flag triggers the Snort SCAN FIN rule (621)
and the firewall rule which blocks such FIN-only flags. According to the
references at http://www.snort.org/snort-db/sid.html?sid=621 and at
http://www.whitehats.com/info/ids27, stateless FIN packets are used for
reconnaissance, which is the reason for blocking them.
thanks

-fp


-----Original Message-----
From: owner-packeteer-edu () lists Stanford EDU
[mailto:owner-packeteer-edu () lists Stanford EDU] On Behalf Of Fred Portnoy
Sent: Wednesday, March 31, 2004 5:48 PM
To: unisog () sans org; packeteer-edu () lists Stanford EDU
Subject: fin-no-ack scans


Friends:

My Packeteer was bogging down again today and I found from my firewall logs
that I had a host spewing out tcp packets to port 6346 with FIN flag but no
accompanying ACK flag. I had thought that correct TCP protocol would not do
that. Anyone familiar with this? Is it a virus/worm symptom, or is it a way
of some P2P application to search for partners?

thanks

Fred Portnoy
Plymouth State University
Plymouth, New Hampshire

-++**==--++**==--++**==--++**==--++**==--++**==--++**==--++**==--++**
This message was posted through the Stanford mailing list server. To
subscribe/unsubscribe, send email to majordomo () lists stanford edu with
"subscribe packeteer-edu" or "unsubscribe packeteer-edu" as the body.
Archive is at http://www.stanford.edu/group/networking/netlists/

___________________________________________________
You are subscribed to the ResNet-L mailing list.

To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________


-++**==--++**==--++**==--++**==--++**==--++**==--++**==--++**==--++**
This message was posted through the Stanford mailing list server. To
subscribe/unsubscribe, send email to majordomo () lists stanford edu with
"subscribe packeteer-edu" or "unsubscribe packeteer-edu" as the body.
Archive is at http://www.stanford.edu/group/networking/netlists/



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: