Date: Thu, 04 Jan 2001 15:32:27 +0100 From: Lars Gaarden To: project@honeynet.org Subject: Scan of the month 1) My guess would be that it attempts to determine the type and version of the web server running on the target. The "HEAD / HTT0x8" irks me, though. If the purpose is only to get the "Server: xxxx", why send an invalid request? 2) It tries to evade IDS systems that look at the payload of single packets instead of systems that track and assemble TCP sessions. Note that this isn't fragmented ip datagrams, but just plain normal ip datagrams with 1-5 byte payloads. Also, it is very unlikely that these datagrams have been hand- crafted. They are created by the normal TCP/IP stack on behalf of a tool that sets SO_SNDLOWAT on the socket. 3) The closest I can find is whisker in -I 9 mode. -- LarsG