Snort mailing list archives
RE: fin-no-ack scans
From: "Fred Portnoy" <fportnoy () mail plymouth edu>
Date: Fri, 2 Apr 2004 14:07:04 -0500
Upon closer inspection I can make some observations: hosts which are doing P2P communication send and re-send SYNs to a station that does not reply, and then instead of just giving up, they end with a FIN. I don't know the purpose of that FIN, since no session had been established; it may be for additional reconnaissance, or not. That FIN, because no actual session was ever established, lacks an ACK flag. Sessions which are established normally with a SYN-SYN/ACK-ACK sequence would be ended with a FIN/ACK. So, the FIN flag without an accompanying ACK flag triggers the Snort SCAN FIN rule (621) and the firewall rule which blocks such FIN-only flags. According to the references at http://www.snort.org/snort-db/sid.html?sid=621 and at http://www.whitehats.com/info/ids27, stateless FIN packets are used for reconnaissance, which is the reason for blocking them. thanks -fp -----Original Message----- From: owner-packeteer-edu () lists Stanford EDU [mailto:owner-packeteer-edu () lists Stanford EDU] On Behalf Of Fred Portnoy Sent: Wednesday, March 31, 2004 5:48 PM To: unisog () sans org; packeteer-edu () lists Stanford EDU Subject: fin-no-ack scans Friends: My Packeteer was bogging down again today and I found from my firewall logs that I had a host spewing out tcp packets to port 6346 with FIN flag but no accompanying ACK flag. I had thought that correct TCP protocol would not do that. Anyone familiar with this? Is it a virus/worm symptom, or is it a way of some P2P application to search for partners? thanks Fred Portnoy Plymouth State University Plymouth, New Hampshire -++**==--++**==--++**==--++**==--++**==--++**==--++**==--++**==--++** This message was posted through the Stanford mailing list server. To subscribe/unsubscribe, send email to majordomo () lists stanford edu with "subscribe packeteer-edu" or "unsubscribe packeteer-edu" as the body. Archive is at http://www.stanford.edu/group/networking/netlists/ ___________________________________________________ You are subscribed to the ResNet-L mailing list. To subscribe, unsubscribe or search the archives, go to http://LISTSERV.ND.EDU/archives/resnet-l.html ___________________________________________________ -++**==--++**==--++**==--++**==--++**==--++**==--++**==--++**==--++** This message was posted through the Stanford mailing list server. To subscribe/unsubscribe, send email to majordomo () lists stanford edu with "subscribe packeteer-edu" or "unsubscribe packeteer-edu" as the body. Archive is at http://www.stanford.edu/group/networking/netlists/ ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: fin-no-ack scans Fred Portnoy (Apr 02)