Snort mailing list archives
Re: ICMP PING NMAP
From: Fyodor <fyodor () insecure org>
Date: Thu, 21 Mar 2002 02:45:17 -0800
On Wed, Mar 20, 2002 at 11:57:01PM -0800, Bill McCarty wrote:
Thing is, nmap isn't likely the source of packets coming from a Macintosh <grin>. I read the Snort signature as defining ICMP PING NMAP merely by a payload size of zero:
Not only can most other platforms create 0-byte-payload ping packets (eg on Linux use "ping -s 0"), but Nmap can create arbitrarily (within reason) sized ping packets using the --data_length option. So a pingscan like "nmap --data_length 40 -sP 192.168.0.0/16" would not trigger an alert. This is a new feature of Nmap 2.54BETA31, which was released yesterday at http://www.insecure.org/nmap/ . Cheers, Fyodor _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ICMP PING NMAP Bill McCarty (Mar 21)
- Re: ICMP PING NMAP Fyodor (Mar 21)
- Re: ICMP PING NMAP Martin Roesch (Mar 21)