Bugtraq mailing list archives
Re: unused bit attack alert
From: Patrick.Mullen () GD-CS COM (Mullen, Patrick)
Date: Tue, 22 Feb 2000 17:15:43 -0500
Fromthe Snort Portscan module
(http://www.clark.net/~roesch/security.html) spp_portscan.c: /* Strip off the reserved bits for the testing, but flag that a scan is being done. */ th_flags_cleaned = th_flags & ~(R_RES1 | R_RES2); if(th_flags != th_flags_cleaned) { scan = sRESERVEDBITS; } This means that anything with reserved bits set are shown as a portscan. Obviously, later down flags are checked as normal using th_flags_cleaned and flagged appropriately. This code was inspired by connlogd, written by Alec Kosky, which probably is also immune to this method. ~Patrick
Current thread:
- Re: unused bit attack alert Vern Paxson (Feb 21)
- Microsoft Security Bulletin (MS00-012) Microsoft Product Security (Feb 22)
- redhat 6.0: single user boot security hole Darren Reed (Feb 22)
- Re: unused bit attack alert antirez (Feb 23)
- Multiple vulnerabilities with Outblaze-based e-mail providers .sozni (Feb 23)
- SANE 2000 program details and registration - May 22-25, 2000 Fred Donck (Feb 25)
- DoSing the Netgear ISDN RT34x router. Swift Griggs (Feb 25)
- Re: DoSing the Netgear ISDN RT34x router. Mike Wade (Feb 25)
- <Possible follow-ups>
- Re: unused bit attack alert Mullen, Patrick (Feb 22)
- Re: unused bit attack alert Max Vision (Feb 23)
- Re: unused bit attack alert Max Vision (Feb 24)