Snort mailing list archives

Re: ICMP PING NMAP

From: Fyodor <fyodor () insecure org>
Date: Thu, 21 Mar 2002 02:45:17 -0800

On Wed, Mar 20, 2002 at 11:57:01PM -0800, Bill McCarty wrote:


Thing is, nmap isn't likely the source of packets coming from a Macintosh 
<grin>. I read the Snort signature as defining ICMP PING NMAP merely by a 
payload size of zero:


Not only can most other platforms create 0-byte-payload ping packets
(eg on Linux use "ping -s 0"), but Nmap can create arbitrarily (within
reason) sized ping packets using the --data_length option.  So a
pingscan like "nmap --data_length 40 -sP 192.168.0.0/16" would not
trigger an alert.  This is a new feature of Nmap 2.54BETA31, which was
released yesterday at http://www.insecure.org/nmap/ .

Cheers,
Fyodor


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

ICMP PING NMAP Bill McCarty (Mar 21)
- Re: ICMP PING NMAP Fyodor (Mar 21)
- Re: ICMP PING NMAP Martin Roesch (Mar 21)