Home page logo

bugtraq logo Bugtraq mailing list archives

Re: unused bit attack alert
From: Patrick.Mullen () GD-CS COM (Mullen, Patrick)
Date: Tue, 22 Feb 2000 17:15:43 -0500

Fromthe Snort Portscan module


   /* Strip off the reserved bits for the testing, but flag
      that a scan is being done.
   th_flags_cleaned = th_flags & ~(R_RES1 | R_RES2);

   if(th_flags != th_flags_cleaned)
      scan = sRESERVEDBITS;

This means that anything with reserved bits set are
shown as a portscan.  Obviously, later down flags
are checked as normal using th_flags_cleaned and
flagged appropriately.

This code was inspired by connlogd, written by
Alec Kosky, which probably is also immune to this method.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]