[svlug] Re: what about those tcp flags?

George Georgalis georgw at galis.org
Thu Mar 13 11:12:20 PST 2003


On Thu, Mar 13, 2003 at 10:09:40AM -0800, Rick Schultz wrote:
>On Thu, Mar 13, 2003 at 12:32:50PM -0500, George Georgalis wrote:
>>  --tcp-flags SYN,FIN SYN,FIN -j DROP # syn/fin-scan
>>  --tcp-flags SYN,ACK,FIN,RST RST # Stealth-Scan but might be normal too --limit 5/m
>>  --tcp-flags ALL FIN,URG,PSH -j DROP # nmap-xmas scan 
>>  --tcp-flags ALL FIN # fin-scan
>>  --tcp-flags ALL NONE # null-scan
>
>Isn't that what --state INVALID is for?  Or does that miss some of
>these?

Thanks Rick, excellent advice, I haven't been using INVALID. I also like
another reference to look at snort IDS rules.

My intent was for my own education as well developing a better ruleset.
grepping INVALID from the iptables source has yielded lots of good
information... most notably from iptables-1.2.6a.tar.bz2

./patch-o-matic/extra/recent.patch.help
./patch-o-matic/extra/tcp-window-tracking.patch.help
and 
http://www.nluug.nl/events/sane2000/papers/rooij.ps.gz
(alt location http://www.iae.nl/users/guido/papers/tcp_filtering.ps.gz )

This is complicated stuff, that INVALID will come in very handy
as well as the 'recent' patch...

Regards,
// George


-- 
GEORGE GEORGALIS, System Admin/Architect    cell: 347-451-8229 
Security Services, Web, Mail,            mailto:george at galis.org 
Multimedia, DB, DNS and Metrics.       http://www.galis.org/george 




More information about the svlug mailing list