Just as an add-on. As I was writing my first reply to you I plugged in 205.188.180.57, just to make sure it was the AOL site again. Right after, about 30 seconds or so, SonicWall sent me another FIN warning concerning 205.188.180.57. So these sites are apparently doing *some* kind of scan. Something I left off of the other posts is that the scans originate from port 80 of both of these machines.
This is what SonicWall has to say about FIN scans: It is possible that someone is scanning your IP address(es) with FIN packets looking for holes. The SonicWall is blocking these scans from getting to your servers. It is highly recommended that you contact your ISP to see if they can help you determine if this is indeed happening and hopefully put a stop to it. Also, there is a known issue that can cause the SonicWall to erroneously log FIN scans. Basically if multiple FIN packets are sent over a connection between a client and server the SonicWall might log a FIN scan. We're currently working on making the SonicWall less sensitive to this so as not to log false positives. OK, fine I could see some situation where multiple FIN packets might be sent during the course of an extended stay on a web site. However I was only on the AOL site for two seconds. Now why, out of the hundreds of web sites my users visit weekly, would just these two continuously trigger FIN scan alarms? I don't really believe it's anything malicious. But it is interesting. Jim Grossl Boise, Idaho USA -----Original Message----- From: Chris Hunt [mailto:[EMAIL PROTECTED]] Sent: Tuesday, March 19, 2002 6:13 AM To: [EMAIL PROTECTED] Subject: Re: [SonicWALL]- FIN scan false positives Soooooooo what is the URL? Would be interesting to see what happens for others and if it only applies to the XPRS2 or other models. Chris At 04:21 PM 03/18/2002 -0700, you wrote: > I get FIN scan alerts all the time from a particular >web site that one of my users frequents. I had my user >inform the site of this and their reply consisted of, >1: Criticizing our ability to think because we use a >SonicWall as a firewall. >2: Telling us the SonicWall could not tell the difference --- [This E-mail scanned for viruses by Declude/F-Prot Virus] ============================================================================ ======================= To unsubscribe, send email to [EMAIL PROTECTED] In the body of the email put the following: unsubscribe sonicwall your_name The archive of this list is at http://www.mail-archive.com/sonicwall%40peake.com/ --- [This E-mail scanned for viruses by Declude/F-Prot Virus] =================================================================================================== To unsubscribe, send email to [EMAIL PROTECTED] In the body of the email put the following: unsubscribe sonicwall your_name The archive of this list is at http://www.mail-archive.com/sonicwall%40peake.com/
