Re: Raw sockets vs connect() scanning on windows/linux

[John Lampe <jwlampe () tenablesecurity com>]

Erin Carroll wrote:

> All,
>
> Quick question. I was recently reading a blog post at
> http://dmiessler.com/study/synpackets/ and realized I need to brush up on
> which scanners out there on Windows & linux by default use raw vs connect()
> packets. The issue is that raw socket packets have a differing length 

The only difference is the size of the options field.  You can have
60-byte packets created using raw sockets and 44-byte packets created
using the built-in API.

and
> that many products are coded to look for raw socket packets (44 bytes) and
> treat them differently than connect() packets (60 bytes). 

I'd bet that they weren't looking at byte size so much as other stuff.
A 44 byte packet (20 bytes IP, 20 bytes TCP, 4 bytes option) isn't
uncommon to see.  At Tenable, we created passive checks for the
detection of the nmap scanner.  In all cases, we did not consider the
size of the packet but instead looked at "other stuff".  p0f also has a
means of detecting nmap packets on a network.

-- 
John Lampe
Senior Security Researcher
TENABLE Network Security, Inc.
jwlampe@{nessus.org,tenablesecurity.com}
Tele: (410) 872-0555
www.tenablesecurity.com

Is your network TENABLE?
---------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------