From goanookie at gmail.com  Sun May 22 14:36:55 2005
From: goanookie at gmail.com (Peter De Zutter)
Date: Sun, 22 May 2005 23:36:55 +0200
Subject: [NARC] typo in default narc.conf found in tarball?
Message-ID: <ad381263050522143651bf10bf@mail.gmail.com>

Just finished a scan with nessus and I was quite surprised to find this

 Warning found on port general/tcp
 
 The remote host does not discard TCP SYN packets which
 have the FIN flag set.
 
 Depending on the kind of firewall you are using, an
 attacker may use this flaw to bypass its rules.
 
 See also : 
 http://archives.neohapsis.com/archives/bugtraq/2002-10/0266.html
 http://www.kb.cert.org/vuls/id/464113
     
 Solution : Contact your vendor for a patch
 Risk factor : Medium
 BID : 7487
 Nessus ID : 11618 

Apart from the above and which seems to be a typo in the default
config file found in the tarball. It is just a very great and handy
tool, gentoo ebuild coming soon, back to the typo.
In ILLEGAL_TCP_FLAGS there is twice FIN SYN, must that not be once FIN
SYN and once SYN FIN?

# Illegal TCP flag combinations (copy from narc.conf found in narc-0.7.tgz
ILLEGAL_TCP_FLAGS="SYN,FIN PSH,FIN SYN,ACK,FIN SYN,FIN,PSH SYN,FIN,RST
SYN,FIN,RST,PSH SYN,FIN,ACK,RST SYN,ACK,FIN,RST,PSH ALL"

I'll try tomorrow with the correct flags and re-run nessus.

Time to get some sleep
Peter D.Z.
-- 
I have plenty of common sense, 
I just choose to ignore it. 
--- Calvin