Re: usual iploggers miss some variable stealth scans

[alec () DAKOTACOM NET (Alec Kosky)]

On 17-Jan-00 vecna wrote:
> in November`99 more or less... i've discovered 5 type of new stealth scan,
> with the modification of flags used normally on XMAS stealth scan.
>
> the five type of packets that can be used for stealth scanning, and isn't
> logged from the normal tcplogd/scanlogger have this flag:
> URG
> PUSH
> URG+FIN
> PUSH+FIN
> URG+PUSH
>
> this flag on packet, such FIN, XMAS (fin+urg+psh), and NULL scan (no one
> flag set) cause the reply RST+ACK if port is closed, and no reply if
> port is open. this is efective only against *nix system
>
> i don't think that is an important tecnical notice... but most tcp logger
> must be upgraded/reconfigurated.

   I have written a TCP and UDP connection logger for that should run on just
about any platform. I sent a message to the list a few months back about it,
but it never made it through moderation. Regardless, it uses the pcap library
for packet capturing, and I have tested it on Solaris 7 and OpenBSD 2.5 & 2.6,
and as long as it's compiled with DEBUG defined, it will log all incoming
connections, independent of what flags are used in the packets. And I just
added specific logging for just about any type of connection (including the
ones listed above).
   I've designed it to be small and configurable, but at this point there's
some things that are still configured at compile-time (e.g. how/where to
log). I'll be getting to these things at a later date. And since I don't have
an anonymous FTP site handy (and I don't think that including it as an
attachment would be the best idea), you're going to have to email me for a
copy. If anyone has an anoymous FTP site and would like to put a copy on
there, I'd be more than happy to do that.

--Alec Kosky--