Intrusions 02-18-02 13:59pm


A SYN-FIN portscan from Poland, detected by the snort spp_stream preprocessor.

What's going on here is an illegal/abnormal flag combination: you can't have (legitimately..) a SYN flag attempting to establish a tcp connection in the same packet as a FIN (finished) flag.

Purpose? Possibly OS detection by the response returned..

Unusual System Events
=-=-=-=-=-=-=-=-=-=-=

Feb 18 14:01:02 greatwall snort: [111:13:1] spp_stream4: STEALTH ACTIVITY (SYN FIN scan)
 detection {TCP} 157.158.191.232:21 -> 12.82.142.34:21

Feb 18 14:01:02 greatwall snort: spp_portscan: PORTSCAN DETECTED to port 21 from
 157.158.191.232 (STEALTH)

Feb 18 14:04:53 greatwall snort: spp_portscan: portscan status from 157.158.191.232: 1
 connections across 1 hosts: TCP(1), UDP(0) STEALTH

Feb 18 14:04:58 greatwall snort: spp_portscan:
 End of portscan from 157.158.191.232:
 TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH


Feb 18 14:01:02 greatwall kernel: Packet log: input DENY ppp0 PROTO=6 157.158.191.232:21
 12.82.142.34:21 L=40 S=0x00 I=39426 F=0x0000 T=24 SYN (#64)


Mon Feb 18 14:01:02 2002 157.158.191.232: UNKNOWN [1028:24:0:0:52:0:0:40].
   157.158.191.232:21 -> 12.82.142.34:21



157.158.191.232 = gateway.piast.ds.polsl.gliwice.pl



BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
 1999-2001 William E. Weinman 

Request: 157.158.191.232
connecting to whois.arin.net [63.146.182.182:43] ...

Silesian Technical University (NET-GLIWINET)
   ul. Akademicka 16
   Gliwice, 44-100
   PL    

Netname: GLIWINET
   Netblock: 157.158.0.0 - 157.158.255.255    

Coordinator:
      Strzyzewski, Piotr  (PS316-ARIN)  gucio@ZEUS.POLSL.GLIWICE.PL
      +48 32 2307686 (FAX) +48 32 2372175    

Domain System inverse mapping provided by: 
   HADES.POLSL.GLIWICE.PL157.158.1.4
   ZEUS.POLSL.GLIWICE.PL157.158.1.3



This page last preened by Webmaster jsage@finchhaven.com on:
Last modified: Mon Feb 18 17:02:59 2002