On 02/19/2011 08:33 PM, Heiko Baums wrote:
Message: Vecna Scan Source: 208.92.232.29, 443 Destination:84.63.127.8, 35567 (from PPPoE1 Inbound)
The only piece of information about "vecna scans" I could find is this: http://www.mcabee.org/lists/snort-users/Feb-02/msg00294.html
"Vecna" is so named because the contributor who coded it into nmap, if I remember correctly, goes by that name or userid.
The combination of all TCP flags set is known as "Christmas Tree" ("all lit up"), abbreviated in the Snort source code as FULLXMAS:
URG ACK PSH RST SYN FIN
A subset is just known as annotated XMAS:
URG * PSH * * FIN
Both of these combinations are illegal TCP, but may confuse or avoid IDS systems. What Vecna found was that several other illegal combinations had the same effect:
URG * * * * * * * PSH * * * URG * * * * FIN * * PSH * * FIN URG * PSH * * *
I sent http-requests to sigurd.archlinux.org and aur.archlinux.org, but was unable to reproduce the problem (wireshark did not show illegal flag combinations) Regards, PyroPeter -- freenode/pyropeter ETAOIN SHRDLU