[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: XMAS and NULL



NULL = NO FLAGS set on a tcp packet.
That is a fairly universal definition.
The XMAS definition you use is based on nmap's xmas scan. I have heard
xmas described as ALL TCP flags set but in general the nmap definitation
(FUP) is probably the most common definition.
AFAIK RFC 793 define's the responses for these packets.
Some older OS fingerprinting tools queso etc... used the response to
unusual flag combinations to fingerprint the os.
Probably the best known os fingerprinting paper resides here:

http://www.insecure.org/nmap/nmap-fingerprinting-article.html

Hope that helps.

donald.smith@qwest.com giac 
-----Original Message-----
From: owner-opsec@psg.com [mailto:owner-opsec@psg.com] On Behalf Of
Vishwas Manral
Sent: Monday, February 21, 2005 11:10 AM
To: opsec@ops.ietf.org
Subject: XMAS and NULL


Hi folks,

I have found various definitions of the SMAS and NULL scans. Some state
the former is when all flags are set in TCP and the latter is when none
is.

I have also found the code for the above which states

      /* xmas scan */
      if(pkt.tcp.fin==1 && pkt.tcp.urg==1 && pkt.tcp.psh==1) {
         printf("Xmas scan attack dedected from %s to %s\n", 
           hostlookup(pkt.ip.saddr), servlookup(pkt.tcp.dest));
      }

      /* null scan */
      if(pkt.tcp.fin==0 && pkt.tcp.syn==0 && pkt.tcp.ack==0)
      {
         printf("Null scan attack dedected from %s to %s\n", 
           hostlookup(pkt.ip.saddr), servlookup(pkt.tcp.dest));
      }

Can someone point me to a correct reference of what the check means?
Besides are packets that meet the check dropped? Do we have any RFC
defining the list of TCP flag combinations which are illegal and need to
be dropped?

Thanks,
Vishwas