Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
GEN:SID | 1:627 |
Message | SCAN cybercop os SFU12 probe |
Summary | This event is generated when the Cybercop vulnerability scanner is used against a host. |
Impact | Cybercop can be used to identify vulnerabilities on host systems. |
Detailed Information | This particular packet is a part of Cybercop's OS identification. Specially crafted packets are able to elicit different responses from different operating systems. This packet is likely to be part of a full Cybercop scan rather than an isolated event. Having SYN, FIN, URG and reserve bits 1 and 2 set at the same time is abnormal. |
Affected Systems | All |
Attack Scenarios | Cybercop can be used by attackers to determine vulnerabilities present on a host or network of hosts that could be used as attack vectors. |
Ease of Attack | Simple |
Corrective Action | TCP packets with SYN, FIN, URG and reserved bits 1 and 2 set at the same time are abnormal, use a packet filtering firewall to block them. |
Additional References | Arachnids: http://www.whitehats.com/info/IDS150 |
Rule References | arachnids: 150 |
--
DID:252836
--
http://www.aanval.com/