Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: usual iploggers miss some variable stealth scans

From: nailtbt () TIN IT (Andrea Gho)
Date: Thu, 20 Jan 2000 20:24:58 +0100

Well, about iplogging the fact is not that some iplogger can miss
this specific sub-Xmas scans. The ''bug'' (if we can call it as a bug)
it's at the base idea of many iploggers used nowadays is based on a
concept:

By default all packets passes
Strange packets are logged.

That's not the best, absolutely...
In this situation every new scan require a source code modification and/or
a reconfiguration of the tool.
Some iploggers, instead, use a improved idea:

By default all packets are logged
Normal packets can pass

And this can permit us not to rewrite pieces of code (and before tool
update, miss this scan).

                        Nail

----------------------------------------

Because sprintf and vsprintf assume an infinitely  long  string,
callers  must  be careful not to overflow the actual space;
this is often impossible to assure.
                                        --- Linux man

On Mon, 17 Jan 2000, vecna wrote:


in November`99 more or less... i've discovered 5 type of new stealth scan,
with the modification of flags used normally on XMAS stealth scan.

the five type of packets that can be used for stealth scanning, and isn't
logged from the normal tcplogd/scanlogger have this flag:
URG
PUSH
URG+FIN
PUSH+FIN
URG+PUSH

this flag on packet, such FIN, XMAS (fin+urg+psh), and NULL scan (no one
flag set) cause the reply RST+ACK if port is closed, and no reply if
port is open. this is efective only against *nix system

i don't think that is an important tecnical notice... but most tcp logger
must be upgraded/reconfigurated.

i've coded patch for nmap-2.12, check http://vecna.unix.kg

Bye.
vecna
Previous By Date Next
Previous By Thread Next

Current thread: