Re: GSoC Feedback

[David Fifield <david () bamsoftware com>]

On Fri, Mar 27, 2009 at 09:35:04AM -0500, Ankur Nandwani wrote:
> I am a Graduate student, doing some research in the area of TCP/IP
> fingerprinting. I had a few ideas regarding SoC, which are as
> follows:-
>
> I have noticed that Snort has signatures to detect probes sent by Nmap
> during OS detection. For example, Snort rule with SID: 629
> (http://www.snort.org/pub-bin/sigs.cgi?sid=629) is designed to detect
> T3 probe with SYN, FIN, URG, and PSH flags set. I was thinking, if we
> could avoid the use of such probes, we could prevent the detection of
> Nmap probes by an Intrusion Prevention and Detection System like
> Snort.
>
> Also, as Nmap sends 16 probes for each IP address during OS detection,
> I was wondering if we could do some work specifically in reducing the
> number of probes sent by Nmap.

You probably want to be aware of this paper that evaluates the quality
of some of the probes sent by Nmap.

http://seclists.org/nmap-dev/2009/q1/0689.html
http://www.usenix.org/events/woot07/tech/full_papers/greenwald/greenwald.pdf

Maybe there is a way to reorder the probes so that "maximally
discriminating" probes--those that eliminate the most potential
fingerprints--are sent first. Then the next maximally discriminating
probe is sent for the remaining prints, and so on until only one print
is left or you run out of probes.

Preliminary work to see if it is worthwhile would be a standalone
program that builds the probe tree. A complication is that some probes
produce test results in more than one line of a fingerprint, so the tree
can't be structured strictly around the structure of prints.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org