[svlug] Re: what about those tcp flags?
georgw at galis.org
Thu Mar 13 11:12:20 PST 2003
On Thu, Mar 13, 2003 at 10:09:40AM -0800, Rick Schultz wrote:
>On Thu, Mar 13, 2003 at 12:32:50PM -0500, George Georgalis wrote:
>> --tcp-flags SYN,FIN SYN,FIN -j DROP # syn/fin-scan
>> --tcp-flags SYN,ACK,FIN,RST RST # Stealth-Scan but might be normal too --limit 5/m
>> --tcp-flags ALL FIN,URG,PSH -j DROP # nmap-xmas scan
>> --tcp-flags ALL FIN # fin-scan
>> --tcp-flags ALL NONE # null-scan
>Isn't that what --state INVALID is for? Or does that miss some of
Thanks Rick, excellent advice, I haven't been using INVALID. I also like
another reference to look at snort IDS rules.
My intent was for my own education as well developing a better ruleset.
grepping INVALID from the iptables source has yielded lots of good
information... most notably from iptables-1.2.6a.tar.bz2
(alt location http://www.iae.nl/users/guido/papers/tcp_filtering.ps.gz )
This is complicated stuff, that INVALID will come in very handy
as well as the 'recent' patch...
GEORGE GEORGALIS, System Admin/Architect cell: 347-451-8229
Security Services, Web, Mail, mailto:george at galis.org
Multimedia, DB, DNS and Metrics. http://www.galis.org/george
More information about the svlug