Snort mailing list archives
Re: Vecna Scan ????
From: Glenn Forbes Fleming Larratt <glratt () rice edu>
Date: Fri, 8 Feb 2002 16:06:01 -0600 (CST)
"Vecna" is so named because the contributor who coded it into nmap, if I remember correctly, goes by that name or userid. The combination of all TCP flags set is known as "Christmas Tree" ("all lit up"), abbreviated in the Snort source code as FULLXMAS: URG ACK PSH RST SYN FIN A subset is just known as annotated XMAS: URG * PSH * * FIN Both of these combinations are illegal TCP, but may confuse or avoid IDS systems. What Vecna found was that several other illegal combinations had the same effect: URG * * * * * * * PSH * * * URG * * * * FIN * * PSH * * FIN URG * PSH * * * Vecna's post is archived at http://www.securityfocus.com/archive/1/42136 -g On Fri, 8 Feb 2002 SkatFiend () aol com wrote:
Date: Fri, 08 Feb 2002 16:46:26 EST From: SkatFiend () aol com To: snort-users () lists sourceforge net Subject: [Snort-users] Vecna Scan ???? Hi everyone, Ive done some web searching without good results, can anyone tell me what a "Vecna Scan" is, or direct me to a web resource? Thanks, Cliff Arms _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Glenn Forbes Fleming Larratt Rice University Network Management glratt () rice edu _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Vecna Scan ???? SkatFiend (Feb 08)
- Re: Vecna Scan ???? Glenn Forbes Fleming Larratt (Feb 08)