Syn and Fin in different packets together

[stuart () SILICONDEFENSE COM (Stuart Staniford-Chen)]

Anyone know what can cause traffic like this?  X and Y are fixed IPs.
We had a similar traffic pattern from the same source (X) a few days
ago.   The activity was isolated to just these IPs and ports and didn't
seem to be part of a larger scan (or it was very sparse if it was).

The Syn and Fin packets arrive almost at the same time.  In each group
of three alerts, the "IDS027" snort detect and the FIN portscan detect
are actually from the same packet.  (See http://whitehats.com/IDS/27 for
details of the signature.)

 Mar 20 18:17:24 X:1669 -> Y:80 FIN ***F****
 Mar 20 18:17:24 X:1669 -> Y:80 SYN **S*****
 [**] IDS027 - SCAN-FIN [**]
 03/20-18:17:24.259062 X:1669 -> Y:80
 TCP TTL:116 TOS:0x0 ID:44867  DF
 ***F**** Seq: 0xB3FA71   Ack: 0x0   Win: 0x0

 Mar 20 18:19:55 X:1684 -> Y:80 SYN **S*****
 Mar 20 18:19:55 X:1684 -> Y:80 FIN ***F****
 [**] IDS027 - SCAN-FIN [**]
 03/20-18:19:55.288742 X:1684 -> Y:80
 TCP TTL:116 TOS:0x0 ID:44942  DF
 ***F**** Seq: 0xB64866   Ack: 0x0   Win: 0x0

 Mar 20 19:02:37 X:1985 -> Y:80 SYN **S*****
 Mar 20 19:02:37 X:1985 -> Y:80 FIN ***F****
 [**] IDS027 - SCAN-FIN [**]
 03/20-19:02:37.563409 X:1985 -> Y:80
 TCP TTL:116 TOS:0x0 ID:46049  DF
 ***F**** Seq: 0xDD5FE6   Ack: 0x0   Win: 0x0

Here's one of the actual packet logs from the FIN packets.  Just has
zeroes in.

[**] IDS027 - SCAN-FIN [**]
03/20-18:17:24.259062 X:1669 -> Y:80
TCP TTL:116 TOS:0x0 ID:44867  DF
***F**** Seq: 0xB3FA71   Ack: 0x0   Win: 0x0
00 00 00 00 00 00                                ......


--
Stuart Staniford-Chen --- President --- Silicon Defense
                   stuart () silicondefense com
(707) 822-4588                     (707) 826-7571 (FAX)