Bugtraq mailing list archives
Re: usual iploggers miss some variable stealth scans
From: alec () DAKOTACOM NET (Alec Kosky)
Date: Tue, 18 Jan 2000 11:51:20 -0700
On 17-Jan-00 vecna wrote:
in November`99 more or less... i've discovered 5 type of new stealth scan, with the modification of flags used normally on XMAS stealth scan. the five type of packets that can be used for stealth scanning, and isn't logged from the normal tcplogd/scanlogger have this flag: URG PUSH URG+FIN PUSH+FIN URG+PUSH this flag on packet, such FIN, XMAS (fin+urg+psh), and NULL scan (no one flag set) cause the reply RST+ACK if port is closed, and no reply if port is open. this is efective only against *nix system i don't think that is an important tecnical notice... but most tcp logger must be upgraded/reconfigurated.
I have written a TCP and UDP connection logger for that should run on just about any platform. I sent a message to the list a few months back about it, but it never made it through moderation. Regardless, it uses the pcap library for packet capturing, and I have tested it on Solaris 7 and OpenBSD 2.5 & 2.6, and as long as it's compiled with DEBUG defined, it will log all incoming connections, independent of what flags are used in the packets. And I just added specific logging for just about any type of connection (including the ones listed above). I've designed it to be small and configurable, but at this point there's some things that are still configured at compile-time (e.g. how/where to log). I'll be getting to these things at a later date. And since I don't have an anonymous FTP site handy (and I don't think that including it as an attachment would be the best idea), you're going to have to email me for a copy. If anyone has an anoymous FTP site and would like to put a copy on there, I'd be more than happy to do that. --Alec Kosky--
Current thread:
- Re: IIS still revealing paths for web directories, (continued)
- Re: IIS still revealing paths for web directories Georgi Guninski (Jan 13)
- Re: IIS still revealing paths for web directories Scott Buchanan (Jan 13)
- Re: IIS still revealing paths for web directories Taneli Huuskonen (Jan 15)
- Fwd: Crash identified in Notes, Domino, and MTA with Date Conversio ns Xander Teunissen (Jan 14)
- Re: IIS still revealing paths for web directories Norbert Luckhardt (Jan 15)
- usual iploggers miss some variable stealth scans vecna (Jan 17)
- Re: usual iploggers miss some variable stealth scans Simple Nomad (Jan 17)
- AW: usual iploggers miss some variable stealth scans Tobi (Jan 18)
- AW: usual iploggers miss some variable stealth scans Tobi (Jan 19)
- Warning: VCasel security hole. bob mare (Jan 18)
- Re: usual iploggers miss some variable stealth scans Alec Kosky (Jan 18)
- Re: usual iploggers miss some variable stealth scans Andrea Gho (Jan 20)
- Vulnerabilities in Checkpoint FW-1 version 3.x and maybe 4.x root (Jan 21)
- *BSD procfs vulnerability FEAR Advisories (Jan 21)
- Re: *BSD procfs vulnerability Theo de Raadt (Jan 23)
- stream.c/raped.c tests (just for stats) Vanja Hrustic (Jan 21)
- Microsoft Security Bulletin (MS00-004) Microsoft Product Security (Jan 21)
- Re: Vulnerabilities in Checkpoint FW-1 version 3.x and maybe 4.x Vanja Hrustic (Jan 22)
- Re: Vulnerabilities in Checkpoint FW-1 version 3.x and maybe 4.x Markus Hofmann (Jan 22)
- Administrivia Elias Levy (Jan 18)
- Info on some security holes reported against SCO Unixware. Aaron Sigel (Jan 13)