[13486] in bugtraq
Re: usual iploggers miss some variable stealth scans
daemon@ATHENA.MIT.EDU (Andrea Gho)
Fri Jan 21 19:52:33 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.05.10001202020530.3031-100000@nail.nail.it>
Date: Thu, 20 Jan 2000 20:24:58 +0100
Reply-To: nailtbt@TIN.IT
From: Andrea Gho <nailtbt@TIN.IT>
X-To: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.10.10001172001170.498-100000@0zZurT.whitehouse.gov>
Well, about iplogging the fact is not that some iplogger can miss
this specific sub-Xmas scans. The ''bug'' (if we can call it as a bug)
it's at the base idea of many iploggers used nowadays is based on a
concept:
By default all packets passes
Strange packets are logged.
That's not the best, absolutely...
In this situation every new scan require a source code modification and/or
a reconfiguration of the tool.
Some iploggers, instead, use a improved idea:
By default all packets are logged
Normal packets can pass
And this can permit us not to rewrite pieces of code (and before tool
update, miss this scan).
Nail
----------------------------------------
Because sprintf and vsprintf assume an infinitely long string,
callers must be careful not to overflow the actual space;
this is often impossible to assure.
--- Linux man
On Mon, 17 Jan 2000, vecna wrote:
> in November`99 more or less... i've discovered 5 type of new stealth scan,
> with the modification of flags used normally on XMAS stealth scan.
>
> the five type of packets that can be used for stealth scanning, and isn't
> logged from the normal tcplogd/scanlogger have this flag:
> URG
> PUSH
> URG+FIN
> PUSH+FIN
> URG+PUSH
>
> this flag on packet, such FIN, XMAS (fin+urg+psh), and NULL scan (no one
> flag set) cause the reply RST+ACK if port is closed, and no reply if
> port is open. this is efective only against *nix system
>
> i don't think that is an important tecnical notice... but most tcp logger
> must be upgraded/reconfigurated.
>
> i've coded patch for nmap-2.12, check http://vecna.unix.kg
>
> Bye.
> vecna
>
