Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

SonicWall log

0 views
Skip to first unread message

Bourdeau_removethis@videotron.ca Jean-Francois Bourdeau

unread,
Feb 13, 2002, 6:53:58 PM2/13/02
to
Probable TCP FIN scan

I have been told that this alert ths SonicWall iws reporting is may be nor
important

True ?

Thanks
BS


Wolfgang Kueter

unread,
Feb 13, 2002, 7:23:47 PM2/13/02
to
Jean-Francois Bourdeau wrote:

> Probable TCP FIN scan
>
> I have been told that this alert ths SonicWall is reporting is may be
> nor important

Probably someone using a postscanner ran a TCP FIN scan. Whether he
found something interesting, I can't tell, unless you ask me to scan
your systems. You can run the test yourself from an outside host to
check what he found.

Extract from the man page of nmap, a portscannner. (technical
description of several types of scans):

-------------------------8<----------------

SCAN TYPES

-sT TCP connect() scan: This is the most basic form of
TCP scanning. The connect() system call provided by
your operating system is used to open a connection
to every interesting port on the machine. If the
port is listening, connect() will succeed, other­
wise the port isn't reachable. One strong advantage
to this technique is that you don't need any spe­
cial privileges. Any user on most UNIX boxes is
free to use this call.

This sort of scan is easily detectable as target
host logs will show a bunch of connection and error
messages for the services which accept() the con­
nection just to have it immediately shutdown.

-sS TCP SYN scan: This technique is often referred to
as "half-open" scanning, because you don't open a
full TCP connection. You send a SYN packet, as if
you are going to open a real connection and you
wait for a response. A SYN|ACK indicates the port
is listening. A RST is indicative of a non-lis­
tener. If a SYN|ACK is received, a RST is immedi­
ately sent to tear down the connection (actually
our OS kernel does this for us). The primary advan­
tage to this scanning technique is that fewer sites
will log it. Unfortunately you need root privi­
leges to build these custom SYN packets.

-sF -sX -sN
Stealth FIN, Xmas Tree, or Null scan modes: There
are times when even SYN scanning isn't clandestine
enough. Some firewalls and packet filters watch for
SYNs to restricted ports, and programs like Synlog­
ger and Courtney are available to detect these
scans. These advanced scans, on the other hand, may
be able to pass through unmolested.

The idea is that closed ports are required to reply
to your probe packet with an RST, while open ports
must ignore the packets in question (see RFC 793 pp
64). The FIN scan uses a bare (surprise) FIN
packet as the probe, while the Xmas tree scan turns
on the FIN, URG, and PUSH flags. The Null scan
turns off all flags. Unfortunately Microsoft (like
usual) decided to completely ignore the standard
and do things their own way. Thus this scan type
will not work against systems running Windows95/NT.
On the positive side, this is a good way to distin­
guish between the two platforms. If the scan finds
open ports, you know the machine is not a Windows
box. If a -sF,-sX,or -sN scan shows all ports
closed, yet a SYN (-sS) scan shows ports being
opened, you are probably looking at a Windows box.
This is less useful now that nmap has proper OS
detection built in. There are also a few other
systems that are broken in the same way Windows is.
They include Cisco, BSDI, HP/UX, MVS, and IRIX.
All of the above send resets from the open ports
when they should just drop the packet.

-------------------------8<----------------

Wolfgang
--
A foreign body and a foreign mind,
never welcome in the land of the blind.
Peter Gabriel, Not one of us, 1980

Bourdeau_removethis@videotron.ca Jean-Francois Bourdeau

unread,
Feb 13, 2002, 8:41:28 PM2/13/02
to
Thanks a lot for your answer

BS

"Wolfgang Kueter" <wolf...@shconnect.de> wrote in message
news:a4f02k$71c$1...@news.shlink.de...

The Trackers

unread,
Feb 16, 2002, 4:51:02 AM2/16/02
to
Do you speak English?

Lars M. Hansen

unread,
Feb 18, 2002, 10:10:41 PM2/18/02
to
On Sat, 16 Feb 2002 01:51:02 -0800, The Trackers spoketh

>Do you speak English?
>

Apparently, he's french so he's english may not be perfect. What's your
excuse?

Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'lars' in e-mail address)

Ilena Ayala

unread,
Feb 18, 2002, 11:42:26 PM2/18/02
to

Lars M. Hansen wrote in message
<7kg37uog9hksqu5sh...@4ax.com>...

>On Sat, 16 Feb 2002 01:51:02 -0800, The Trackers spoketh
>
>>Do you speak English?
>>
>
>Apparently, he's french so he's english may not be perfect. What's your
>excuse?


Actually it just looks like a few typos in his post. Most of the keys for
letters that don't belong where they appear are right by the letters that do
belong. No biggie.

As for your question to her, IMHO her excuse is called paranoid
schizophrenia.

I'm so serious.

-Ilena Ayala
(from the alt.pets.ferrets ng.)


0 new messages