[Snort-users] ICMP PING NMAP
fyodor at ...306...
Thu Mar 21 02:46:07 EST 2002
On Wed, Mar 20, 2002 at 11:57:01PM -0800, Bill McCarty wrote:
> Thing is, nmap isn't likely the source of packets coming from a Macintosh
> <grin>. I read the Snort signature as defining ICMP PING NMAP merely by a
> payload size of zero:
Not only can most other platforms create 0-byte-payload ping packets
(eg on Linux use "ping -s 0"), but Nmap can create arbitrarily (within
reason) sized ping packets using the --data_length option. So a
pingscan like "nmap --data_length 40 -sP 192.168.0.0/16" would not
trigger an alert. This is a new feature of Nmap 2.54BETA31, which was
released yesterday at http://www.insecure.org/nmap/ .
More information about the Snort-users