Re: GSoC Feedback

[ithilgore <ithilgore.ryu.l () gmail com>]

Ankur Nandwani wrote:
> Hey Guys,
>
> I am a Graduate student, doing some research in the area of TCP/IP fingerprinting. I had a few ideas regarding SoC, 
> which are as follows:-
>
> I have noticed that Snort has signatures to detect probes sent by Nmap during OS detection. For example, Snort rule 
> with SID: 629 (http://www.snort.org/pub-bin/sigs.cgi?sid=629) is designed to detect T3 probe with SYN, FIN, URG, and 
> PSH flags set. I was thinking, if we could avoid the use of such probes, we could prevent the detection of Nmap 
> probes by an Intrusion Prevention and Detection System like Snort.

 You could specify the option --scanflags and change the TCP flags which
 will be on at each probe. Additionally, Fyodor had presented at SchmooCon
 many ways to bypass Snort time-related rules and other ids stuff:
 http://insecure.org/presentations/Shmoo06/

> Also, as Nmap sends 16 probes for each IP address during OS detection, I was wondering if we could do some work 
> specifically in reducing the number of probes sent by Nmap.

 Reducing the number of probes would probably lead to less accurate
 results. However, a discussion on removing the the IE.DLI probe had
 started here:
 http://seclists.org/nmap-dev/2009/q1/0679.html


> I would be glad to hear your suggestions regarding the above ideas.
>
> Thanks & Regards
> Ankur

--
ithilgore
sock-raw.org

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org