[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: unused bit attack alert

To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Re: unused bit attack alert
From: "Mullen, Patrick" <Patrick.Mullen@GD-CS.COM>
Date: Tue, 22 Feb 2000 17:15:43 -0500

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

>From the Snort Portscan module
(http://www.clark.net/~roesch/security.html)

spp_portscan.c:

   /* Strip off the reserved bits for the testing, but flag
      that a scan is being done.
   */
   th_flags_cleaned = th_flags & ~(R_RES1 | R_RES2);

   if(th_flags != th_flags_cleaned)
   {
      scan = sRESERVEDBITS;
   }

This means that anything with reserved bits set are
shown as a portscan.  Obviously, later down flags
are checked as normal using th_flags_cleaned and
flagged appropriately.

This code was inspired by connlogd, written by
Alec Kosky, which probably is also immune to this method.


~Patrick

Prev by Date: Re: BUGTRAQ Digest - 18 Feb 2000 to 21 Feb 2000 (#2000-41)
Next by Date: DoS for the iPlanet Web Server, Enterprise Edition 4.1
Prev by thread: Re: unused bit attack alert
Next by thread: Re: unused bit attack alert
Index(es):
- Date
- Thread