Snort mailing list archives

Re: portscan log...

From: Joe McAlerney <joey () SiliconDefense com>
Date: Wed, 30 Jan 2002 18:34:13 -0800

Hi Edwin,

It means the portscanner used TCP packets with only the SYN bit set. 
These packets are used to initiate TCP connections.  The person is
presumably looking for TCP services running on your box.

For more information on the portscan plugin, take a look at:

http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.4.3

-Joe M.

-- 
Joe McAlerney
Software Developer / Security Consultant
joey () SiliconDefense com
Silicon Defense: IDS Solutions -=- http://www.silicondefense.com/

Edwin Pua wrote:


Hi,

      I saw this message under my portscan.log file and I know that this
source ip 137.132.83.218 is scanning my ip 211.156.185.143 but what is
SYN*****S* means?

Jan 29 18:52:34 137.132.83.218:1999 -> 211.156.185.143:3372 SYN ******S*
Jan 29 18:52:34 137.132.83.218:2000 -> 211.156.185.143:3373 SYN ******S*
Jan 29 18:52:35 137.132.83.218:2003 -> 211.156.185.143:3376 SYN ******S*
Jan 29 18:52:36 137.132.83.218:2004 -> 211.166.185.143:3377 SYN ******S*
Jan 29 18:52:36 137.132.83.218:2005 -> 211.166.185.143:3378 SYN ******S*
Jan 29 18:52:37 137.132.83.218:2006 -> 211.166.185.143:3379 SYN ******S*
Jan 29 18:52:37 137.132.83.218:2007 -> 211.166.185.143:3380 SYN ******S*
Jan 29 18:52:38 137.132.83.218:2008 -> 211.166.185.143:3381 SYN ******S*
Jan 29 18:52:38 137.132.83.218:2010 -> 211.166.185.143:3383 SYN ******S*
Jan 29 18:52:39 137.132.83.218:2011 -> 211.166.185.143:3384 SYN ******S*
Jan 29 18:52:39 137.132.83.218:2012 -> 211.166.185.143:3385 SYN ******S*
Jan 29 18:52:40 137.132.83.218:2014 -> 211.166.185.143:3387 SYN ******S*

rgds,
edwin

_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

portscan log... Edwin Pua (Jan 30)
- Re: portscan log... Joe McAlerney (Jan 30)
- Re: portscan log... Demetri Mouratis (Jan 31)
- <Possible follow-ups>
- Re: portscan log... Edwin Pua (Jan 30)
  - Re: portscan log... John Sage (Jan 31)
  - Re: portscan log... Joe McAlerney (Jan 31)
- Re: portscan log... Edwin Pua (Feb 01)