>From the Snort Portscan module (http://www.clark.net/~roesch/security.html) spp_portscan.c: /* Strip off the reserved bits for the testing, but flag that a scan is being done. */ th_flags_cleaned = th_flags & ~(R_RES1 | R_RES2); if(th_flags != th_flags_cleaned) { scan = sRESERVEDBITS; } This means that anything with reserved bits set are shown as a portscan. Obviously, later down flags are checked as normal using th_flags_cleaned and flagged appropriately. This code was inspired by connlogd, written by Alec Kosky, which probably is also immune to this method. ~Patrick
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:36:36 PDT