avoiding scan detection by Snort

["Steven Alexander" <steve () cell2000 net>]

A default install of Snort is able to detect pings from Nmap and some other
tools. The rules are contained in the Snort rules file icmp.rules. Nmap is
identified by having no data in the icmp packet.  The ping utilities
distributed with different operating systems include different data in the
packets.  A second file icmp-info.rules contains rules to detect ping
traffic from a variety of OSes. The second file is not used by Snort in a
default install.

Does anyone think it would be useful to include a command line option for
Nmap to mimic the pings of different OSes supplied implementations? At best,
the pings wouldn't be detected by Snort(default install) and at worst they
would appear to be regular ping traffic from some OS(if the additional rule
file is enabled).  My copy of nmap is already patched to mimic a particular
OS; the patch is trivial.  Thoughts?

-steven


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).