Security Incidents mailing list archives
Re: Syn and Fin in different packets together
From: thegnome () NMRC ORG (Simple Nomad)
Date: Wed, 22 Mar 2000 23:05:38 -0600
Without pulling up a sniffer I'd say that's an nmap FIN scan looking for open port 80 boxes. They probably didn't use the -P0 option which will probably get the extra SYN packet. Considering how many devices allow for remote web management (such as hubs and routers) I'd expect these types of scans, especially at the perimeter. - Simple Nomad - No rest for the Wicca'd - - thegnome () nmrc org - www.nmrc.org - - thegnome () razor bindview com - razor.bindview.com - On Tue, 21 Mar 2000, Stuart Staniford-Chen wrote:
Anyone know what can cause traffic like this? X and Y are fixed IPs. We had a similar traffic pattern from the same source (X) a few days ago. The activity was isolated to just these IPs and ports and didn't seem to be part of a larger scan (or it was very sparse if it was). The Syn and Fin packets arrive almost at the same time. In each group of three alerts, the "IDS027" snort detect and the FIN portscan detect are actually from the same packet. (See http://whitehats.com/IDS/27 for details of the signature.) Mar 20 18:17:24 X:1669 -> Y:80 FIN ***F**** Mar 20 18:17:24 X:1669 -> Y:80 SYN **S***** [**] IDS027 - SCAN-FIN [**] 03/20-18:17:24.259062 X:1669 -> Y:80 TCP TTL:116 TOS:0x0 ID:44867 DF ***F**** Seq: 0xB3FA71 Ack: 0x0 Win: 0x0 Mar 20 18:19:55 X:1684 -> Y:80 SYN **S***** Mar 20 18:19:55 X:1684 -> Y:80 FIN ***F**** [**] IDS027 - SCAN-FIN [**] 03/20-18:19:55.288742 X:1684 -> Y:80 TCP TTL:116 TOS:0x0 ID:44942 DF ***F**** Seq: 0xB64866 Ack: 0x0 Win: 0x0 Mar 20 19:02:37 X:1985 -> Y:80 SYN **S***** Mar 20 19:02:37 X:1985 -> Y:80 FIN ***F**** [**] IDS027 - SCAN-FIN [**] 03/20-19:02:37.563409 X:1985 -> Y:80 TCP TTL:116 TOS:0x0 ID:46049 DF ***F**** Seq: 0xDD5FE6 Ack: 0x0 Win: 0x0 Here's one of the actual packet logs from the FIN packets. Just has zeroes in. [**] IDS027 - SCAN-FIN [**] 03/20-18:17:24.259062 X:1669 -> Y:80 TCP TTL:116 TOS:0x0 ID:44867 DF ***F**** Seq: 0xB3FA71 Ack: 0x0 Win: 0x0 00 00 00 00 00 00 ...... -- Stuart Staniford-Chen --- President --- Silicon Defense stuart () silicondefense com (707) 822-4588 (707) 826-7571 (FAX)
Current thread:
- lots of interest in port 109 (POP2) Russell Fulton (Mar 05)
- Re: lots of interest in port 109 (POP2) harikiri (Mar 07)
- Re: lots of interest in port 109 (POP2) Jon Lewis (Mar 08)
- Re: lots of interest in port 109 (POP2) Pavel Kankovsky (Mar 08)
- Re: lots of interest in port 109 (POP2) Juan M. Courcoul (Mar 08)
- Re: lots of interest in port 109 (POP2) drkn (Mar 14)
- Syn and Fin in different packets together Stuart Staniford-Chen (Mar 21)
- Re: Syn and Fin in different packets together Simple Nomad (Mar 22)
- Re: Syn and Fin in different packets together Granquist, Lamont (Mar 24)
- Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity Jeffrey D. Carter (Mar 25)
- Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service) probeactivity Bryan Andersen (Mar 28)
- Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service) probeactivity Christoph Schneeberger (Mar 29)
- Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service)probeactivity Bill Pennington (Mar 29)
- Re: 169.254.x.x (Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity) Pavel Kankovsky (Mar 29)
- Re: 169.254.x.x (Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity) Joshua Krage (Mar 29)
- Re: 169.254.x.x (Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity) Greg A. Woods (Mar 29)
- Re: 169.254.x.x Robert Graham (Mar 29)
- Re: 169.254.x.x Pavel Kankovsky (Mar 30)
- Re: lots of interest in port 109 (POP2) Juan M. Courcoul (Mar 08)
- Re: lots of interest in port 109 (POP2) harikiri (Mar 07)