[Snort-users] Vecna Scan ????

Glenn Forbes Fleming Larratt glratt at ...604...
Fri Feb 8 14:07:05 EST 2002


"Vecna" is so named because the contributor who coded it into nmap,
if I remember correctly, goes by that name or userid.

The combination of all TCP flags set is known as "Christmas Tree"
("all lit up"), abbreviated in the Snort source code as FULLXMAS:

	URG ACK PSH RST SYN FIN

A subset is just known as annotated XMAS:

	URG  *  PSH  *   *  FIN

Both of these combinations are illegal TCP, but may confuse or
avoid IDS systems. What Vecna found was that several other illegal
combinations had the same effect:

	URG  *   *   *   *   *
	 *   *  PSH  *   *   *
	URG  *   *   *   *  FIN
	 *   *  PSH  *   *  FIN
	URG  *  PSH  *   *   *

Vecna's post is archived at

	http://www.securityfocus.com/archive/1/42136

-g


On Fri, 8 Feb 2002 SkatFiend at ...661... wrote:

> Date: Fri, 08 Feb 2002 16:46:26 EST
> From: SkatFiend at ...661...
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Vecna Scan ????
>
> Hi everyone,
>
> Ive done some web searching without good results, can anyone tell me what a "Vecna Scan" is, or direct me to a web resource?
>
> Thanks, Cliff Arms
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>

				Glenn Forbes Fleming Larratt
				Rice University Network Management
				glratt at ...604...





More information about the Snort-users mailing list