|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: usual iploggers miss some variable stealth scans
Subject: Re: usual iploggers miss some variable stealth scans
From: Andrea Gho (nailtbt
TIN.IT)
Date: Thu Jan 20 2000 - 13:24:58 CST
- Next message: root: "Vulnerabilities in Checkpoint FW-1 version 3.x and maybe 4.x"
- Previous message: Ken Barber: "Rh 6.1 initial root password encryption"
- In reply to: vecna: "usual iploggers miss some variable stealth scans"
- Reply: Andrea Gho: "Re: usual iploggers miss some variable stealth scans"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Well, about iplogging the fact is not that some iplogger can miss
this specific sub-Xmas scans. The ''bug'' (if we can call it as a bug)
it's at the base idea of many iploggers used nowadays is based on a
concept:
By default all packets passes
Strange packets are logged.
That's not the best, absolutely...
In this situation every new scan require a source code modification and/or
a reconfiguration of the tool.
Some iploggers, instead, use a improved idea:
By default all packets are logged
Normal packets can pass
And this can permit us not to rewrite pieces of code (and before tool
update, miss this scan).
Nail
----------------------------------------
Because sprintf and vsprintf assume an infinitely long string,
callers must be careful not to overflow the actual space;
this is often impossible to assure.
--- Linux man
On Mon, 17 Jan 2000, vecna wrote:
> in November`99 more or less... i've discovered 5 type of new stealth scan,
> with the modification of flags used normally on XMAS stealth scan.
>
> the five type of packets that can be used for stealth scanning, and isn't
> logged from the normal tcplogd/scanlogger have this flag:
> URG
> PUSH
> URG+FIN
> PUSH+FIN
> URG+PUSH
>
> this flag on packet, such FIN, XMAS (fin+urg+psh), and NULL scan (no one
> flag set) cause the reply RST+ACK if port is closed, and no reply if
> port is open. this is efective only against *nix system
>
> i don't think that is an important tecnical notice... but most tcp logger
> must be upgraded/reconfigurated.
>
> i've coded patch for nmap-2.12, check http://vecna.unix.kg
>
> Bye.
> vecna
>
- Next message: root: "Vulnerabilities in Checkpoint FW-1 version 3.x and maybe 4.x"
- Previous message: Ken Barber: "Rh 6.1 initial root password encryption"
- In reply to: vecna: "usual iploggers miss some variable stealth scans"
- Reply: Andrea Gho: "Re: usual iploggers miss some variable stealth scans"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b27 : Fri Jan 21 2000 - 16:03:07 CST