Rule: -- Sid: 624 -- Summary: A tcp packet with it's SYN and FIN flags set was detected. -- Impact: Information regarding firewall rulesets, open/closed ports, ACLs, and possibly even OS type is possible. This technique can also be used to bypass certain firewalls or traffic filtering/shaping devices. -- Detailed Information: A tcp packet with it's SYN and FIN flags set was detected. Most stacks will respond with an ACK SYN indicating that the port was open, whereas a closed port will illicit an ACK RST. -- Affected Systems: -- Attack Scenarios: As part of information gathering leading up to another (more directed) attack, an attacker may attempt to figure out what ports are open/closed on a remote machine. -- Ease of Attack: Intermediate. To initiate an attack of this type, an attacker either needs a tool that can send packets with the SYN and FIN flags set or the ability to craft their own packets. The former is easy, the later requires a more advanced skillset. -- False Positives: None Known -- False Negatives: None Known -- Corrective Action: Determine if this particular port would have responded as being open or closed. If open, watch for more attacks on this particular service or from the remote machine that sent the packet. If closed, simply watch for more traffic from this host. -- Contributors: Original rule writer unknown Original document author unkown Sourcefire Vulnerability Research Team Nigel Houghton <nigel.houghton@sourcefire.com> Jon Hart <warchild@spoofed.org> -- Additional References: --
