Nmap Development mailing list archives
Re: GSoC Feedback
From: ithilgore <ithilgore.ryu.l () gmail com>
Date: Fri, 27 Mar 2009 17:38:38 +0200
Ankur Nandwani wrote:
Hey Guys, I am a Graduate student, doing some research in the area of TCP/IP fingerprinting. I had a few ideas regarding SoC, which are as follows:- I have noticed that Snort has signatures to detect probes sent by Nmap during OS detection. For example, Snort rule with SID: 629 (http://www.snort.org/pub-bin/sigs.cgi?sid=629) is designed to detect T3 probe with SYN, FIN, URG, and PSH flags set. I was thinking, if we could avoid the use of such probes, we could prevent the detection of Nmap probes by an Intrusion Prevention and Detection System like Snort.
You could specify the option --scanflags and change the TCP flags which will be on at each probe. Additionally, Fyodor had presented at SchmooCon many ways to bypass Snort time-related rules and other ids stuff: http://insecure.org/presentations/Shmoo06/
Also, as Nmap sends 16 probes for each IP address during OS detection, I was wondering if we could do some work specifically in reducing the number of probes sent by Nmap.
Reducing the number of probes would probably lead to less accurate results. However, a discussion on removing the the IE.DLI probe had started here: http://seclists.org/nmap-dev/2009/q1/0679.html
I would be glad to hear your suggestions regarding the above ideas. Thanks & Regards Ankur
-- ithilgore sock-raw.org _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- GSoC Feedback Ankur Nandwani (Mar 27)
- Re: GSoC Feedback ithilgore (Mar 27)
- Re: GSoC Feedback David Fifield (Mar 27)
- Re: GSoC Feedback David Fifield (Mar 27)
- Re: GSoC Feedback ithilgore (Mar 27)