On 02/19/2011 08:33 PM, Heiko Baums wrote:
Message: Vecna Scan Source: 208.92.232.29, 443 Destination:84.63.127.8, 35567 (from PPPoE1 Inbound)
The only piece of information about "vecna scans" I could find is this: http://www.mcabee.org/lists/snort-users/Feb-02/msg00294.html > "Vecna" is so named because the contributor who coded it into nmap, > if I remember correctly, goes by that name or userid. > > The combination of all TCP flags set is known as "Christmas Tree" > ("all lit up"), abbreviated in the Snort source code as FULLXMAS: > > URG ACK PSH RST SYN FIN > > A subset is just known as annotated XMAS: > > URG * PSH * * FIN > > Both of these combinations are illegal TCP, but may confuse or > avoid IDS systems. What Vecna found was that several other illegal > combinations had the same effect: > > URG * * * * * > * * PSH * * * > URG * * * * FIN > * * PSH * * FIN > URG * PSH * * * I sent http-requests to sigurd.archlinux.org and aur.archlinux.org, but was unable to reproduce the problem (wireshark did not show illegal flag combinations) Regards, PyroPeter -- freenode/pyropeter ETAOIN SHRDLU
