[Firehol-support] possible problem with 'malformed-bad'
Costa Tsaousis
costa at tsaousis.gr
Sat Mar 6 01:20:32 GMT 2004
Hi,
>> > --tcp-flags SYN,RST,PSH,ACK,URG SYN,RST,PSH,URG
>>
>> Added this in v1.180 in the CVS.
>
> This is a subset of SYN,RST SYN,RST, too, so you can remove it.
> Seems as if that rule didn't make it to my brain :)
>
You are right. I have removed it :)
> There may be another problem: Detecting which OS and/or OS version
> is used on a host behind the firewall, depending on the reaction to
> a tcp package with bad flags. At least nessus complains about this
> when scanning the firewall, so there is at least the threat of a
> false positive.
Of course! This is another reason for having those malformed packets matches.
Costa
More information about the Firehol-support
mailing list