Bugtraq: Re: unused bit attack alert

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

Re: unused bit attack alert

From: Patrick.Mullen () GD-CS COM (Mullen, Patrick)
Date: Tue, 22 Feb 2000 17:15:43 -0500

Fromthe Snort Portscan module

(http://www.clark.net/~roesch/security.html)

spp_portscan.c:

   /* Strip off the reserved bits for the testing, but flag
      that a scan is being done.
   */
   th_flags_cleaned = th_flags & ~(R_RES1 | R_RES2);

   if(th_flags != th_flags_cleaned)
   {
      scan = sRESERVEDBITS;
   }

This means that anything with reserved bits set are
shown as a portscan.  Obviously, later down flags
are checked as normal using th_flags_cleaned and
flagged appropriately.

This code was inspired by connlogd, written by
Alec Kosky, which probably is also immune to this method.

~Patrick

By Date By Thread

Current thread:

Re: unused bit attack alert, (continued)
- Re: unused bit attack alert antirez (Feb 23)
- Multiple vulnerabilities with Outblaze-based e-mail providers .sozni (Feb 23)
  - SANE 2000 program details and registration - May 22-25, 2000 Fred Donck (Feb 25)
  - DoSing the Netgear ISDN RT34x router. Swift Griggs (Feb 25)
    - Re: DoSing the Netgear ISDN RT34x router. Mike Wade (Feb 25)
- Re: unused bit attack alert Mullen, Patrick (Feb 22)
- Re: unused bit attack alert Max Vision (Feb 23)
  - Re: unused bit attack alert Max Vision (Feb 24)