[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
XMAS and NULL
Hi folks,
I have found various definitions of the SMAS and
NULL scans. Some state the former is when all flags are set in TCP and the
latter is when none is.
I have also found the code for the above which
states
/* xmas scan
*/
if(pkt.tcp.fin==1 && pkt.tcp.urg==1
&& pkt.tcp.psh==1) {
printf("Xmas scan attack dedected from %s to %s\n",
hostlookup(pkt.ip.saddr),
servlookup(pkt.tcp.dest));
}
/* null scan
*/
if(pkt.tcp.fin==0 && pkt.tcp.syn==0
&& pkt.tcp.ack==0)
{
printf("Null scan attack
dedected from %s to %s\n",
hostlookup(pkt.ip.saddr),
servlookup(pkt.tcp.dest));
}
Can
someone point me to a correct reference of what the check means? Besides
are packets that meet the check dropped? Do we have any RFC defining
the list of TCP flag combinations which are illegal and need to be
dropped?
Thanks,
Vishwas