mailing list archives
Re: FYI regarding nmap-payloads, Snort evasion, etc.
From: David Fifield <david () bamsoftware com>
Date: Fri, 20 Apr 2012 16:41:30 -0700
On Fri, Apr 20, 2012 at 04:37:27PM -0500, Daniel Miller wrote:
I ran across this while testing scan types against Snort IDS. Two of
the payloads (xdmcp for 177/udp and Amanda for 10080/udp) trigger
two default rules (sid:1867 and sid:634) when directed from external
to internal addresses.
After some thought, I considered implementing an option to turn off
payloads, listing it under IDS evasion methods. However, after
digging in the code, I found out that using --data-length 0 would
have the exact same effect (as far as I am aware).
Yes --data-length 0 is the way to turn off UDP payloads.
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/