RE: Can someone help explain this alert?

["Peter Borner" <peter () borner org uk>]

Ralf,

Thanks for the explanation. Do I assume this is an attempt to hack into
my systems and if so, what action do you recommend I take?

Thanks,

Peter

 -----Original Message-----
From:   Ralf Hildebrandt [mailto:Ralf.Hildebrandt () innominate com] 
Sent:   16 September 2001 13:31
To:     Snort-Users (E-mail)
Subject:        Re: [Snort-users] Can someone help explain this alert?

On Sun, Sep 16, 2001 at 12:24:34PM +0100, Peter Borner wrote:

> I'm still new to Intrusion Detection. I'd appreciate any help I can
get
> to understand this sequence of alerts.


> #1-1005420| [2001-09-16 04:35:11] 210.170.91.52:21 -> 62.49.145.39:21
> spp_stream4: STEALTH ACTIVITY (SYN FIN scan) detection

210.170.91.52 scanned the 62.49.145.* subnet for FTP servers using a
SYn FIN scan. SOurce port 21 was used to circumvent badly written
packet filters.

The whole scan was logged by the spp_stream4 preprocessor moduloe of
snort.


-- 
Ralf.Hildebrandt () innominate com                           innominate AG
+49.(0)30.308806-62  fax: -77                         networking people
Reality dictates that if we want to be wizards and get paid outrageous
salaries to do what we might do for free, the users must be given
drool-proof paper.



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users