Re,
tcplog is part of iplogger-1.2.
from tcplog.c
#ifdef DETECT_BOGUS
/* Nmap and Queso use a bogus tcp flag to "fingerprint" OS'es.. */
if ((hdr.tcp.th_flags & TH_BOG) && last_bogus != hdr.ip.ip_src.s_addr) {
last_bogus = hdr.ip.ip_src.s_addr;
syslog(LEVEL, "bogus tcp flags set by %s (%s)", hostlookup(hdr.ip.ip_src.s_addr, (syncount != SYN_FLOOD)), inet_ntoa(hdr.ip.ip_src));
}
#endif
but this isn't enought. Ymas (0x80) bogus flag
must be logged.
try hping -Y to test if your port scanning
detector have the same problem.
poblem noticed with ntf <emanueleat_private>.
Here is the patch (but i think it's better to rewrite)
--- tcplog.c Mon Jul 19 05:32:58 1999
+++ tcplog-new.c Mon Jul 19 05:46:48 1999
@@ -59,6 +59,7 @@
#ifdef DETECT_BOGUS
# define TH_BOGUS 0x40
+# define TH_OTHER_BOG 0x80
# define TH_BOG TH_BOGUS
#endif
@@ -133,7 +134,7 @@
#ifdef DETECT_BOGUS
/* Nmap and Queso use a bogus tcp flag to "fingerprint" OS'es.. */
- if ((hdr.tcp.th_flags & TH_BOG) && last_bogus != hdr.ip.ip_src.s_addr) {
+ if ((((hdr.tcp.th_flags & TH_BOG) || (hdr.tcp.th_flags & TH_OTHER_BOG))) && last_bogus != hdr.ip.ip_src.s_addr) {
last_bogus = hdr.ip.ip_src.s_addr;
syslog(LEVEL, "bogus tcp flags set by %s (%s)", hostlookup(hdr.ip.ip_src.s_addr, (syncount != SYN_FLOOD)), inet_ntoa(hdr.ip.ip_src));
}
ciao,
antirez
--
Salvatore Sanfilippo - antirez - antirezat_private
try hping: http://www.kyuzz.org/antirez antirezat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:52:41 PDT