Re: avoiding scan detection by Snort

[Fyodor <fyodor () insecure org>]

On Wed, May 28, 2003 at 09:52:22AM -0700, Steven Alexander wrote:
> Does anyone think it would be useful to include a command line option for
> Nmap to mimic the pings of different OSes supplied implementations? At best,
> the pings wouldn't be detected by Snort(default install) and at worst they
> would appear to be regular ping traffic from some OS(if the additional rule
> file is enabled).

The --data_length option will defeat the default (0 length payload)
rule.   Also, you can of course omit the ping stage entirely (-P0) or
use the many non-ICMP types.

If we decide the current approach is not stealthy enough, I would
probably just mimic one particular ping program (e.g. Linux) rather
than provide options to emulate a bunch of systems.

Cheers,
-F

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).