At 05:15 PM 2/22/2000 -0500, Mullen, Patrick wrote: > >From the Snort Portscan module >(http://www.clark.net/~roesch/security.html) > >spp_portscan.c: > > /* Strip off the reserved bits for the testing, but flag > that a scan is being done. > */ > th_flags_cleaned = th_flags & ~(R_RES1 | R_RES2); > > if(th_flags != th_flags_cleaned) > { > scan = sRESERVEDBITS; > } You might want to strip R_URG as well, since per RFC 793 you can set the URG flag on packets with minimal effect to state. For example, I can perform a SYN+URG scan just as well as a SYN scan. I'm sure several portscan detectors can be fooled with this per the explanation seen earlier on Bugtraq. tcpdump of my example SYN+URG scan: me.23 > him.www: S 1087172887:1087172887(0) win 512 urg 0 [tos 0x10] him.www > me.23: S 239306172:239306172(0) ack 1087172888 win 16384 <mss 512> me.23 > him.www: R 1087172888:1087172888(0) win 0 [tos 0x10] or the more illustrative view with snort: 02/23-04:41:33.193468 me:23 -> him:80 TCP TTL:64 TOS:0x10 ID:1396 **S****U Seq: 0x7FC28B3A Ack: 0x0 Win: 0x200 02/23-04:41:33.487261 him:80 -> me:23 TCP TTL:54 TOS:0x0 ID:64782 **S***A* Seq: 0xF1D8AD3 Ack: 0x7FC28B3B Win: 0x4000 TCP Options => MSS: 512 00 00 .. An interesting IDS testing tool might be to write a fragrouter-like tcp proxy that would set the URG bit on each packet. I'm speculating that this would result in a valid exchange that would subvert certain common IDS. Max -- Max Vision Network Security <visionat_private> Network Security Assessment http://maxvision.net/ 100% Success Rate : Penetration Testing & Risk Mitigation Free Visibility Analysis and Price Quote for Your Network
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:36:48 PDT