Snort mailing list archives

Re: portscan log...

From: John Sage <jsage () finchhaven com>
Date: Thu, 31 Jan 2002 06:42:45 -0800

On Thu, Jan 31, 2002 at 06:45:46AM +0000, Edwin Pua wrote:


Hi Joe,

ok thanx for the explanation..but how am i gonna know that he was already 
connected to my tcp port? or i was being attacked/hacked by this source ip? 
i'm using the default rules in my snort box.


If all you ever see are SYN packets from that IP, he's never connected.

A finished connection is a SYN coming in to you, you sending an ACK/SYN back out to him, and him sending an ACK/SYN 
back to you.

Only *then* is the connection established.

May I recommend "TCP/IP Illustrated, vol.1 WR Stevens, Addison-Wesley pubs..

..read that. It'll make a *lot* of stuff more understandable.


- John

-- 
Most people don't type their own logfiles;  but, what do I care?

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

portscan log... Edwin Pua (Jan 30)
- Re: portscan log... Joe McAlerney (Jan 30)
- Re: portscan log... Demetri Mouratis (Jan 31)
- <Possible follow-ups>
- Re: portscan log... Edwin Pua (Jan 30)
  - Re: portscan log... John Sage (Jan 31)
  - Re: portscan log... Joe McAlerney (Jan 31)
- Re: portscan log... Edwin Pua (Feb 01)