Snort mailing list archives

Re: Can someone help explain this alert?

From: Ralf Hildebrandt <Ralf.Hildebrandt () innominate com>
Date: Sun, 16 Sep 2001 14:31:16 +0200

On Sun, Sep 16, 2001 at 12:24:34PM +0100, Peter Borner wrote:

I'm still new to Intrusion Detection. I'd appreciate any help I can get
to understand this sequence of alerts.

#1-1005420| [2001-09-16 04:35:11] 210.170.91.52:21 -> 62.49.145.39:21
spp_stream4: STEALTH ACTIVITY (SYN FIN scan) detection


210.170.91.52 scanned the 62.49.145.* subnet for FTP servers using a
SYn FIN scan. SOurce port 21 was used to circumvent badly written
packet filters.

The whole scan was logged by the spp_stream4 preprocessor moduloe of
snort.


-- 
Ralf.Hildebrandt () innominate com                           innominate AG
+49.(0)30.308806-62  fax: -77                         networking people
Reality dictates that if we want to be wizards and get paid outrageous
salaries to do what we might do for free, the users must be given
drool-proof paper.



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Can someone help explain this alert? Peter Borner (Sep 16)
- Re: Can someone help explain this alert? Ralf Hildebrandt (Sep 16)
- <Possible follow-ups>
- RE: Can someone help explain this alert? Peter Borner (Sep 18)