|
Bugtraq
mailing list archives
Re: usual iploggers miss some variable stealth scans
From: nailtbt () TIN IT (Andrea Gho)
Date: Thu, 20 Jan 2000 20:24:58 +0100
Well, about iplogging the fact is not that some iplogger can miss
this specific sub-Xmas scans. The ''bug'' (if we can call it as a bug)
it's at the base idea of many iploggers used nowadays is based on a
concept:
By default all packets passes
Strange packets are logged.
That's not the best, absolutely...
In this situation every new scan require a source code modification and/or
a reconfiguration of the tool.
Some iploggers, instead, use a improved idea:
By default all packets are logged
Normal packets can pass
And this can permit us not to rewrite pieces of code (and before tool
update, miss this scan).
Nail
----------------------------------------
Because sprintf and vsprintf assume an infinitely long string,
callers must be careful not to overflow the actual space;
this is often impossible to assure.
--- Linux man
On Mon, 17 Jan 2000, vecna wrote:
in November`99 more or less... i've discovered 5 type of new stealth scan,
with the modification of flags used normally on XMAS stealth scan.
the five type of packets that can be used for stealth scanning, and isn't
logged from the normal tcplogd/scanlogger have this flag:
URG
PUSH
URG+FIN
PUSH+FIN
URG+PUSH
this flag on packet, such FIN, XMAS (fin+urg+psh), and NULL scan (no one
flag set) cause the reply RST+ACK if port is closed, and no reply if
port is open. this is efective only against *nix system
i don't think that is an important tecnical notice... but most tcp logger
must be upgraded/reconfigurated.
i've coded patch for nmap-2.12, check http://vecna.unix.kg
Bye.
vecna
 By Date 
By Thread
Current thread:
|
Intro
