ra output intrepretation
Carter Bullard
cbullard at nortelnetworks.com
Thu Jun 24 18:20:46 EDT 1999
Hey Russell,
A lone FIN or FIN_ACK should generate an argus
record with the status of CLOSE_WAITING, with
a tcp state of TCPS_CLOSING. The state reported
by ra() would be "FIN", so from the argi data, I believe
that the scanner was just sending TCP data packets.
You shouldn't have to add anything to detect the
condition you describe.
Hope this helps,
Carter
-----Original Message-----
From: Russell Fulton [mailto:r.fulton at auckland.ac.nz]
Sent: Thursday, June 24, 1999 5:05 PM
To: argus at lists.andrew.cmu.edu
Subject: RE: ra output intrepretation
HI Carter,
Thanks for your comprehensive answer to my query.
I think that the first packet to port 80 may have had fin flag set thus
is label EST by ra in detail mode (that is really what I wanted to
know) and I had forgotten that it would go right through the filter
which does only block syn packets. This is, of course, the main purpose
of using fin scans.
I have a slightly modified version of ra that I use for detecting
scans, I will add some logic to it to report connections consisting of
lone fin or fin and rst.
Cheers, Russell.
More information about the argus
mailing list