Re: Vecna Scan ????

[Glenn Forbes Fleming Larratt <glratt () rice edu>]

"Vecna" is so named because the contributor who coded it into nmap,
if I remember correctly, goes by that name or userid.

The combination of all TCP flags set is known as "Christmas Tree"
("all lit up"), abbreviated in the Snort source code as FULLXMAS:

        URG ACK PSH RST SYN FIN

A subset is just known as annotated XMAS:

        URG  *  PSH  *   *  FIN

Both of these combinations are illegal TCP, but may confuse or
avoid IDS systems. What Vecna found was that several other illegal
combinations had the same effect:

        URG  *   *   *   *   *
         *   *  PSH  *   *   *
        URG  *   *   *   *  FIN
         *   *  PSH  *   *  FIN
        URG  *  PSH  *   *   *

Vecna's post is archived at

        http://www.securityfocus.com/archive/1/42136

-g


On Fri, 8 Feb 2002 SkatFiend () aol com wrote:

> Date: Fri, 08 Feb 2002 16:46:26 EST
> From: SkatFiend () aol com
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] Vecna Scan ????
>
> Hi everyone,
>
> Ive done some web searching without good results, can anyone tell me what a "Vecna Scan" is, or direct me to a web 
> resource?
>
> Thanks, Cliff Arms
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

                                Glenn Forbes Fleming Larratt
                                Rice University Network Management
                                glratt () rice edu


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users