Nmap Development mailing list archives
avoiding scan detection by Snort
From: "Steven Alexander" <steve () cell2000 net>
Date: Wed, 28 May 2003 09:52:22 -0700
A default install of Snort is able to detect pings from Nmap and some other tools. The rules are contained in the Snort rules file icmp.rules. Nmap is identified by having no data in the icmp packet. The ping utilities distributed with different operating systems include different data in the packets. A second file icmp-info.rules contains rules to detect ping traffic from a variety of OSes. The second file is not used by Snort in a default install. Does anyone think it would be useful to include a command line option for Nmap to mimic the pings of different OSes supplied implementations? At best, the pings wouldn't be detected by Snort(default install) and at worst they would appear to be regular ping traffic from some OS(if the additional rule file is enabled). My copy of nmap is already patched to mimic a particular OS; the patch is trivial. Thoughts? -steven --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Current thread:
- avoiding scan detection by Snort Steven Alexander (May 28)
- Re: avoiding scan detection by Snort Fyodor (May 28)