[aur-general] Wrong configuration of sigurd?
Hi TUs, Is it possible that sigurd is not correct configured? Since a short time ago I sometimes get some messages from my router that it has detected and protected me against a hacker attack, when I was on AUR or updated my system. I don't know when it happens exactly, but it doesn't happen always. This is the message I get from my router: Message: Vecna Scan Source: 208.92.232.29, 443 Destination:84.63.127.8, 35567 (from PPPoE1 Inbound) This the output of host: $ host 208.92.232.29 29.232.92.208.in-addr.arpa domain name pointer sigurd.archlinux.org. Or is it a bug in chromium? Heiko
On 02/19/2011 08:33 PM, Heiko Baums wrote:
Message: Vecna Scan Source: 208.92.232.29, 443 Destination:84.63.127.8, 35567 (from PPPoE1 Inbound)
The only piece of information about "vecna scans" I could find is this: http://www.mcabee.org/lists/snort-users/Feb-02/msg00294.html
"Vecna" is so named because the contributor who coded it into nmap, if I remember correctly, goes by that name or userid.
The combination of all TCP flags set is known as "Christmas Tree" ("all lit up"), abbreviated in the Snort source code as FULLXMAS:
URG ACK PSH RST SYN FIN
A subset is just known as annotated XMAS:
URG * PSH * * FIN
Both of these combinations are illegal TCP, but may confuse or avoid IDS systems. What Vecna found was that several other illegal combinations had the same effect:
URG * * * * * * * PSH * * * URG * * * * FIN * * PSH * * FIN URG * PSH * * *
I sent http-requests to sigurd.archlinux.org and aur.archlinux.org, but was unable to reproduce the problem (wireshark did not show illegal flag combinations) Regards, PyroPeter -- freenode/pyropeter ETAOIN SHRDLU
Am Sat, 19 Feb 2011 23:51:12 +0100 schrieb PyroPeter <abi1789@googlemail.com>:
I sent http-requests to sigurd.archlinux.org and aur.archlinux.org, but was unable to reproduce the problem (wireshark did not show illegal flag combinations)
The issue seems to occur with abs. I'll keep observing it, but it seems that I get those Vecna Scan alerts from sigurd after running abs. Heiko
On 02/22/2011 12:03 PM, Heiko Baums wrote:
The issue seems to occur with abs. I'll keep observing it, but it seems that I get those Vecna Scan alerts from sigurd after running abs.
Abs is usually synced with gerolde.archlinux.org so there should be no connection between abs and sigurd. Regards, PyroPeter -- freenode/pyropeter ETAOIN SHRDLU
participants (2)
-
Heiko Baums
-
PyroPeter