Bugtraq mailing list archives

iplogger Ymas problem

From: antirez () SPEEDCOM IT (Salvatore Sanfilippo -antirez-)
Date: Mon, 19 Jul 1999 06:13:15 +0200


Re,

        tcplog is part of iplogger-1.2.

        from tcplog.c

#ifdef DETECT_BOGUS
                /* Nmap and Queso use a bogus tcp flag to "fingerprint" OS'es.. */
                if ((hdr.tcp.th_flags & TH_BOG) && last_bogus != hdr.ip.ip_src.s_addr) {
                        last_bogus = hdr.ip.ip_src.s_addr;
                        syslog(LEVEL, "bogus tcp flags set by %s (%s)",                                                 
                                hostlookup(hdr.ip.ip_src.s_addr, (syncount != SYN_FLOOD)),                              
                inet_ntoa(hdr.ip.ip_src));
                }
#endif

        but this isn't enought. Ymas (0x80) bogus flag
        must be logged.

        try hping -Y to test if your port scanning
        detector have the same problem.

        poblem noticed with ntf <emanuele () secnet dyndns org>.

        Here is the patch (but i think it's better to rewrite)

--- tcplog.c    Mon Jul 19 05:32:58 1999
+++ tcplog-new.c        Mon Jul 19 05:46:48 1999
@@ -59,6 +59,7 @@

 #ifdef DETECT_BOGUS
 #      define TH_BOGUS         0x40
+#      define TH_OTHER_BOG     0x80
 #      define TH_BOG           TH_BOGUS
 #endif

@@ -133,7 +134,7 @@

 #ifdef DETECT_BOGUS
                /* Nmap and Queso use a bogus tcp flag to "fingerprint" OS'es.. */
-               if ((hdr.tcp.th_flags & TH_BOG) && last_bogus != hdr.ip.ip_src.s_addr) {
+               if ((((hdr.tcp.th_flags & TH_BOG) || (hdr.tcp.th_flags & TH_OTHER_BOG))) && last_bogus != 
hdr.ip.ip_src.s_addr) {
                        last_bogus = hdr.ip.ip_src.s_addr;
                        syslog(LEVEL, "bogus tcp flags set by %s (%s)",                                                 
                                hostlookup(hdr.ip.ip_src.s_addr, (syncount != SYN_FLOOD)),                              
                inet_ntoa(hdr.ip.ip_src));
                }

ciao,
antirez

--
Salvatore Sanfilippo - antirez -                  antirez () alicomitalia it
try hping: http://www.kyuzz.org/antirez           antirez () speedcom it

Current thread:

Re: ircd exploit in ircu based code (fwd), (continued)
- - Re: ircd exploit in ircu based code (fwd) Andrea Cocito (Jul 16)
- Logic Error in Management Edition NetWare install script for Dr. Sololomon's Bayard G. Bell (Jul 16)
- AMaViS virus scanner for Linux - root exploit Chris McDonough (Jul 16)
  - CERT Advisory CA-99.08 - cmsd Aleph One (Jul 16)
  - Re: AMaViS virus scanner for Linux - root exploit Kurt Seifried (Jul 17)
    - Re: AMaViS virus scanner for Linux - root exploit Ian Whalley (Jul 19)
  - Swish-e Jean-Georges Estiot (Jul 17)
  - Re: AMaViS virus scanner for Linux - root exploit Chris McDonough (Jul 18)
    - Re: AMaViS virus scanner for Linux - root exploit Jim Hebert (Jul 19)
    - tiger vulnerability Ellen L Mitchell (Jul 20)
  - iplogger Ymas problem Salvatore Sanfilippo -antirez- (Jul 18)
  - Re: AMaViS virus scanner for Linux - root exploit Christian Bricart (Jul 19)