Well, about iplogging the fact is not that some iplogger can miss
this specific sub-Xmas scans. The ''bug'' (if we can call it as a bug)
it's at the base idea of many iploggers used nowadays is based on a
concept:
By default all packets passes
Strange packets are logged.
That's not the best, absolutely...
In this situation every new scan require a source code modification and/or
a reconfiguration of the tool.
Some iploggers, instead, use a improved idea:
By default all packets are logged
Normal packets can pass
And this can permit us not to rewrite pieces of code (and before tool
update, miss this scan).
Nail
----------------------------------------
Because sprintf and vsprintf assume an infinitely long string,
callers must be careful not to overflow the actual space;
this is often impossible to assure.
--- Linux man
On Mon, 17 Jan 2000, vecna wrote:
> in November`99 more or less... i've discovered 5 type of new stealth scan,
> with the modification of flags used normally on XMAS stealth scan.
>
> the five type of packets that can be used for stealth scanning, and isn't
> logged from the normal tcplogd/scanlogger have this flag:
> URG
> PUSH
> URG+FIN
> PUSH+FIN
> URG+PUSH
>
> this flag on packet, such FIN, XMAS (fin+urg+psh), and NULL scan (no one
> flag set) cause the reply RST+ACK if port is closed, and no reply if
> port is open. this is efective only against *nix system
>
> i don't think that is an important tecnical notice... but most tcp logger
> must be upgraded/reconfigurated.
>
> i've coded patch for nmap-2.12, check http://vecna.unix.kg
>
> Bye.
> vecna
>
