Nmap Development mailing list archives

Re: FYI regarding nmap-payloads, Snort evasion, etc.

From: David Fifield <david () bamsoftware com>
Date: Fri, 20 Apr 2012 16:41:30 -0700

On Fri, Apr 20, 2012 at 04:37:27PM -0500, Daniel Miller wrote:

I ran across this while testing scan types against Snort IDS. Two of
the payloads (xdmcp for 177/udp and Amanda for 10080/udp) trigger
two default rules (sid:1867 and sid:634) when directed from external
to internal addresses.

After some thought, I considered implementing an option to turn off
payloads, listing it under IDS evasion methods. However, after
digging in the code, I found out that using --data-length 0 would
have the exact same effect (as far as I am aware).


Yes --data-length 0 is the way to turn off UDP payloads.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

FYI regarding nmap-payloads, Snort evasion, etc. Daniel Miller (Apr 20)
- Re: FYI regarding nmap-payloads, Snort evasion, etc. David Fifield (Apr 20)
- Re: FYI regarding nmap-payloads, Snort evasion, etc. Fyodor (Apr 23)