Snort mailing list archives
RE: Can someone help explain this alert?
From: "Peter Borner" <peter () borner org uk>
Date: Sun, 16 Sep 2001 14:16:01 +0100
Ralf, Thanks for the explanation. Do I assume this is an attempt to hack into my systems and if so, what action do you recommend I take? Thanks, Peter -----Original Message----- From: Ralf Hildebrandt [mailto:Ralf.Hildebrandt () innominate com] Sent: 16 September 2001 13:31 To: Snort-Users (E-mail) Subject: Re: [Snort-users] Can someone help explain this alert? On Sun, Sep 16, 2001 at 12:24:34PM +0100, Peter Borner wrote:
I'm still new to Intrusion Detection. I'd appreciate any help I can
get
to understand this sequence of alerts.
#1-1005420| [2001-09-16 04:35:11] 210.170.91.52:21 -> 62.49.145.39:21 spp_stream4: STEALTH ACTIVITY (SYN FIN scan) detection
210.170.91.52 scanned the 62.49.145.* subnet for FTP servers using a SYn FIN scan. SOurce port 21 was used to circumvent badly written packet filters. The whole scan was logged by the spp_stream4 preprocessor moduloe of snort. -- Ralf.Hildebrandt () innominate com innominate AG +49.(0)30.308806-62 fax: -77 networking people Reality dictates that if we want to be wizards and get paid outrageous salaries to do what we might do for free, the users must be given drool-proof paper. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Can someone help explain this alert? Peter Borner (Sep 16)
- Re: Can someone help explain this alert? Ralf Hildebrandt (Sep 16)
- <Possible follow-ups>
- RE: Can someone help explain this alert? Peter Borner (Sep 18)