Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: syn/fin and src port

From: Aaron <lilnick () nepenthes org>
Date: Wed, 6 Jun 2001 20:46:54 -0700 (PDT)
I've seen the src port 21 -> dst port 21 with SYN/FIN bits set come from
pscan, a little scanner that's wrapped up with some recent worm packages.
I'm sure there are other ways to generate this, but if FTP is open on your
box it may be a host that's been hit by the lion worm or similar trying to
propogate.

Just a thought.

Aaron

On Wed, 6 Jun 2001, skop d'skop wrote:

;hi all,
;wonder what this pattern is all about - taken from snort_portscan.log
;
;May 30 04:38:52 a.b.c.d:21 -> w.x.y.z:21 SYNFIN ******SF
;May 30 04:38:53 a.b.c.d:19689 -> w.x.y.z:21 SYN ******S*
;
;May 30 04:38:52 a.b.c.d:21 -> w.x.y.z:21 SYNFIN ******SF
;May 30 04:38:52 a.b.c.d:19687 -> w.x.y.z:21 SYN ******S*
;


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: