Well, about iplogging the fact is not that some iplogger can miss this specific sub-Xmas scans. The ''bug'' (if we can call it as a bug) it's at the base idea of many iploggers used nowadays is based on a concept: By default all packets passes Strange packets are logged. That's not the best, absolutely... In this situation every new scan require a source code modification and/or a reconfiguration of the tool. Some iploggers, instead, use a improved idea: By default all packets are logged Normal packets can pass And this can permit us not to rewrite pieces of code (and before tool update, miss this scan). Nail ---------------------------------------- Because sprintf and vsprintf assume an infinitely long string, callers must be careful not to overflow the actual space; this is often impossible to assure. --- Linux man On Mon, 17 Jan 2000, vecna wrote: > in November`99 more or less... i've discovered 5 type of new stealth scan, > with the modification of flags used normally on XMAS stealth scan. > > the five type of packets that can be used for stealth scanning, and isn't > logged from the normal tcplogd/scanlogger have this flag: > URG > PUSH > URG+FIN > PUSH+FIN > URG+PUSH > > this flag on packet, such FIN, XMAS (fin+urg+psh), and NULL scan (no one > flag set) cause the reply RST+ACK if port is closed, and no reply if > port is open. this is efective only against *nix system > > i don't think that is an important tecnical notice... but most tcp logger > must be upgraded/reconfigurated. > > i've coded patch for nmap-2.12, check http://vecna.unix.kg > > Bye. > vecna >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:29:42 PDT