Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: FYI regarding nmap-payloads, Snort evasion, etc.
From: David Fifield <david () bamsoftware com>
Date: Fri, 20 Apr 2012 16:41:30 -0700

On Fri, Apr 20, 2012 at 04:37:27PM -0500, Daniel Miller wrote:
I ran across this while testing scan types against Snort IDS. Two of
the payloads (xdmcp for 177/udp and Amanda for 10080/udp) trigger
two default rules (sid:1867 and sid:634) when directed from external
to internal addresses.

After some thought, I considered implementing an option to turn off
payloads, listing it under IDS evasion methods. However, after
digging in the code, I found out that using --data-length 0 would
have the exact same effect (as far as I am aware).

Yes --data-length 0 is the way to turn off UDP payloads.

David Fifield
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]