Re: unused bit attack alert

From: Mullen, Patrick (Patrick.Mullen@GD-CS.COM)
Date: Tue Feb 22 2000 - 14:15:43 PST

Next message: sp00n: "flex license manager tempfile predictable name..."

Previous message: Carlos García Argos: "Re: unused bit attack alert"
Maybe in reply to: LigerTeam: "unused bit attack alert"
Next in thread: Vern Paxson: "Re: unused bit attack alert"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>From the Snort Portscan module
(http://www.clark.net/~roesch/security.html)

spp_portscan.c:

   /* Strip off the reserved bits for the testing, but flag
      that a scan is being done.
   */
   th_flags_cleaned = th_flags & ~(R_RES1 | R_RES2);

   if(th_flags != th_flags_cleaned)
   {
      scan = sRESERVEDBITS;
   }

This means that anything with reserved bits set are
shown as a portscan.  Obviously, later down flags
are checked as normal using th_flags_cleaned and
flagged appropriately.

This code was inspired by connlogd, written by
Alec Kosky, which probably is also immune to this method.


~Patrick

Next message: sp00n: "flex license manager tempfile predictable name..."
Previous message: Carlos García Argos: "Re: unused bit attack alert"
Maybe in reply to: LigerTeam: "unused bit attack alert"
Next in thread: Vern Paxson: "Re: unused bit attack alert"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:36:36 PDT