[13969] in bugtraq
Re: unused bit attack alert
daemon@ATHENA.MIT.EDU (Mullen, Patrick)
Tue Feb 22 21:48:46 2000
Content-Return: allowed
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-Id: <2575327B6755D211A0E100805F9FF95404414B25@ndhmex02.ndhm.gsc.gte.com>
Date: Tue, 22 Feb 2000 17:15:43 -0500
Reply-To: "Mullen, Patrick" <Patrick.Mullen@GD-CS.COM>
From: "Mullen, Patrick" <Patrick.Mullen@GD-CS.COM>
X-To: LigerTeam <ligerteam@hotmail.com>, BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
From the Snort Portscan module
(http://www.clark.net/~roesch/security.html)
spp_portscan.c:
/* Strip off the reserved bits for the testing, but flag
that a scan is being done.
*/
th_flags_cleaned = th_flags & ~(R_RES1 | R_RES2);
if(th_flags != th_flags_cleaned)
{
scan = sRESERVEDBITS;
}
This means that anything with reserved bits set are
shown as a portscan. Obviously, later down flags
are checked as normal using th_flags_cleaned and
flagged appropriately.
This code was inspired by connlogd, written by
Alec Kosky, which probably is also immune to this method.
~Patrick
