Intrusions 02-18-02 13:59pm

A SYN-FIN portscan from Poland, detected by the snort spp_stream preprocessor.

What's going on here is an illegal/abnormal flag combination: you can't have (legitimately..) a SYN flag attempting to establish a tcp connection in the same packet as a FIN (finished) flag.

Purpose? Possibly OS detection by the response returned..

Unusual System Events

Feb 18 14:01:02 greatwall snort: [111:13:1] spp_stream4: STEALTH ACTIVITY (SYN FIN scan)
 detection {TCP} ->

Feb 18 14:01:02 greatwall snort: spp_portscan: PORTSCAN DETECTED to port 21 from (STEALTH)

Feb 18 14:04:53 greatwall snort: spp_portscan: portscan status from 1
 connections across 1 hosts: TCP(1), UDP(0) STEALTH

Feb 18 14:04:58 greatwall snort: spp_portscan:
 End of portscan from
 TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH

Feb 18 14:01:02 greatwall kernel: Packet log: input DENY ppp0 PROTO=6 L=40 S=0x00 I=39426 F=0x0000 T=24 SYN (#64)

Mon Feb 18 14:01:02 2002 UNKNOWN [1028:24:0:0:52:0:0:40]. -> =

BW whois 2.9 by Bill Weinman (
 1999-2001 William E. Weinman 

connecting to [] ...

Silesian Technical University (NET-GLIWINET)
   ul. Akademicka 16
   Gliwice, 44-100

   Netblock: -    

      Strzyzewski, Piotr  (PS316-ARIN)  gucio@ZEUS.POLSL.GLIWICE.PL
      +48 32 2307686 (FAX) +48 32 2372175    

Domain System inverse mapping provided by: 

This page last preened by Webmaster on:
Last modified: Mon Feb 18 17:02:59 2002