Nmap Development mailing list archives
Re: New Nmap options for IDS interaction
From: David Fifield <david () bamsoftware com>
Date: Tue, 16 Mar 2010 12:43:09 -0600
On Tue, Mar 02, 2010 at 10:34:17PM +0100, Theo Dzierzbicki wrote:
Can you mock up some command lines showing how the new options would be used? I think that would help me understand your proposal.Certainly. Let's try to explain the uses cases more clearly. Objective : avoid detection by IDSs during a port scan. Example IDS rules ( taken directly from "Nmap Network Scanning" ) : o first use case : fixed time scale detection. The IDS watches for 'scanner-fixed-threshold' probe packets to any host in the network in 'scanner-fixed-window' seconds ( both defaulting to 15 in Snort defaults ) ---> Current solution : Single target : $ nmap --scan-delay 1075 $target o second use case : sliding time scale detection. Mostly the same principle as the above, only addition : each time the IDS sees a probe, it re-increases the window by a factor ( Snort defaults : factor = 0.5, scanner-window = 20, scanner-threshold=40 ). illustration by an example : you send your first probe, triggering the mecanism. You then wait 10s, then send your second probe. The window, which was decreased to 10s, is reaugmented to 15s. ---> Current solution : Single target : $ nmap --scan-delay 20001 Of course IDS do not have only two rules. There is other behaviors to avoid if you really don't want to trigger anything, but for simple port scanning, these two types of rules seem to be the worst ennemies.
So we have the fixed time scan detection, which is already solved with --scan-delay or --max-rate, but requires some calculation. I can see adding an option to do this calculation automatically. The sliding time scan option is not well handled by Nmap, in fact the book recommends using a shell script or custom scanner for this case. I seem to remember that flow-portscan, the Snort detection module described in the book, is not the newest/default scan detection module anymore. Does anyone know? What's the latest, and what sort of tunable parameters does it have? David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- New Nmap options for IDS interaction Theo Dzierzbicki (Feb 28)
- Re: New Nmap options for IDS interaction David Fifield (Mar 01)
- Re: New Nmap options for IDS interaction Theo Dzierzbicki (Mar 02)
- Re: New Nmap options for IDS interaction David Fifield (Mar 16)
- Re: New Nmap options for IDS interaction Theo Dzierzbicki (Mar 02)
- <Possible follow-ups>
- Re: New Nmap options for IDS interaction Theo Dzierzbicki (Mar 09)
- Re: New Nmap options for IDS interaction David Fifield (Mar 16)
- Re: New Nmap options for IDS interaction David Fifield (Mar 16)
- Re: New Nmap options for IDS interaction David Fifield (Mar 16)
- Re: New Nmap options for IDS interaction David Fifield (Mar 01)