From: John Lampe (jwlampe@tenablesecurity.com)
Date: Mon Oct 15 2007 - 14:41:12 EDT
Erin Carroll wrote:
> All,
>
> Quick question. I was recently reading a blog post at
> http://dmiessler.com/study/synpackets/ and realized I need to brush up on
> which scanners out there on Windows & linux by default use raw vs connect()
> packets. The issue is that raw socket packets have a differing length
The only difference is the size of the options field. You can have
60-byte packets created using raw sockets and 44-byte packets created
using the built-in API.
and
> that many products are coded to look for raw socket packets (44 bytes) and
> treat them differently than connect() packets (60 bytes).
I'd bet that they weren't looking at byte size so much as other stuff.
A 44 byte packet (20 bytes IP, 20 bytes TCP, 4 bytes option) isn't
uncommon to see. At Tenable, we created passive checks for the
detection of the nmap scanner. In all cases, we did not consider the
size of the packet but instead looked at "other stuff". p0f also has a
means of detecting nmap packets on a network.
--
John Lampe
Senior Security Researcher
TENABLE Network Security, Inc.
jwlampe@{nessus.org,tenablesecurity.com}
Tele: (410) 872-0555
www.tenablesecurity.com
Is your network TENABLE?
---------------------------------------
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:09 EDT