well, I tried your nmap-patch and must say that my scanlogd detects all of the stealth scans you mentioned in your posting. bye Tobi -----Ursprüngliche Nachricht----- Von: Bugtraq List [mailto:BUGTRAQat_private]Im Auftrag von vecna Gesendet: Montag, 17. Januar 2000 20:26 An: BUGTRAQat_private Betreff: usual iploggers miss some variable stealth scans in November`99 more or less... i've discovered 5 type of new stealth scan, with the modification of flags used normally on XMAS stealth scan. the five type of packets that can be used for stealth scanning, and isn't logged from the normal tcplogd/scanlogger have this flag: URG PUSH URG+FIN PUSH+FIN URG+PUSH this flag on packet, such FIN, XMAS (fin+urg+psh), and NULL scan (no one flag set) cause the reply RST+ACK if port is closed, and no reply if port is open. this is efective only against *nix system i don't think that is an important tecnical notice... but most tcp logger must be upgraded/reconfigurated. i've coded patch for nmap-2.12, check http://vecna.unix.kg Bye. vecna
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:28:51 PDT