This is true of PSH as well. I had actually meant to respond regarding the PSH flag (SYN+PSH scans are perfectly workable), but had looked at URG first when writing my response and somehow accidentally omited mention of PSH. (Thanks Patrick for reminding me of what I said a few months ago about PSH) I inadvertently ended up repeating what Vern Paxson had posted just days earlier with regard to adding ligitmate flags to traffic: 200002212236.OAA01744at_private">http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-15&msg=200002212236.OAA01744at_private To summarize, it looks like in most cases PSH, URG, or the two reserved bits can be set in packets without affecting their function. Portscan detectors and IDS should take this into account by masking to the value being tested. Has anyone already researched how various IP stacks deal with these "extra" flags in otherwise normal traffic - aside from my very limited portscan tests? On Wed, 23 Feb 2000, Max Vision wrote: > You might want to strip R_URG as well, since per RFC 793 you can set the > URG flag on packets with minimal effect to state. > ... > > Max > > -- > Max Vision Network Security <visionat_private> > Network Security Assessment http://maxvision.net/ > 100% Success Rate : Penetration Testing & Risk Mitigation > Free Visibility Analysis and Price Quote for Your Network >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:37:01 PDT