| GEN:SID | 1:627 |
| Message | SCAN cybercop os SFU12 probe |
| Summary | This event is generated when the Cybercop vulnerability scanner is used against a host.
|
| Impact | Cybercop can be used to identify vulnerabilities on host systems.
|
| Detailed Information | This particular packet is a part of Cybercop's OS identification. Specially crafted packets are able to elicit different responses from different operating systems. This packet is likely to be part of a full Cybercop scan rather than an isolated event. Having SYN, FIN, URG and reserve bits 1 and 2 set at the same time is abnormal.
|
| Affected Systems | All
|
| Attack Scenarios | Cybercop can be used by attackers to determine vulnerabilities present on a host or network of hosts that could be used as attack vectors.
|
| Ease of Attack | Simple
|
| Corrective Action | TCP packets with SYN, FIN, URG and reserved bits 1 and 2 set at the same time are abnormal, use a packet filtering firewall to block them.
|
| Additional References | Arachnids: http://www.whitehats.com/info/IDS150
|
| Rule References | arachnids: 150
|