[aur-general] Wrong configuration of sigurd?
PyroPeter
abi1789 at googlemail.com
Sat Feb 19 17:51:12 EST 2011
On 02/19/2011 08:33 PM, Heiko Baums wrote:
> Message: Vecna Scan
> Source: 208.92.232.29, 443
> Destination:84.63.127.8, 35567 (from PPPoE1 Inbound)
The only piece of information about "vecna scans" I could find is this:
http://www.mcabee.org/lists/snort-users/Feb-02/msg00294.html
> "Vecna" is so named because the contributor who coded it into nmap,
> if I remember correctly, goes by that name or userid.
>
> The combination of all TCP flags set is known as "Christmas Tree"
> ("all lit up"), abbreviated in the Snort source code as FULLXMAS:
>
> URG ACK PSH RST SYN FIN
>
> A subset is just known as annotated XMAS:
>
> URG * PSH * * FIN
>
> Both of these combinations are illegal TCP, but may confuse or
> avoid IDS systems. What Vecna found was that several other illegal
> combinations had the same effect:
>
> URG * * * * *
> * * PSH * * *
> URG * * * * FIN
> * * PSH * * FIN
> URG * PSH * * *
I sent http-requests to sigurd.archlinux.org and aur.archlinux.org,
but was unable to reproduce the problem (wireshark did not show illegal
flag combinations)
Regards, PyroPeter
--
freenode/pyropeter ETAOIN SHRDLU
More information about the aur-general
mailing list