[Snort-users] ICMP PING NMAP

Fyodor fyodor at ...306...
Thu Mar 21 02:46:07 EST 2002

On Wed, Mar 20, 2002 at 11:57:01PM -0800, Bill McCarty wrote:
> Thing is, nmap isn't likely the source of packets coming from a Macintosh 
> <grin>. I read the Snort signature as defining ICMP PING NMAP merely by a 
> payload size of zero:

Not only can most other platforms create 0-byte-payload ping packets
(eg on Linux use "ping -s 0"), but Nmap can create arbitrarily (within
reason) sized ping packets using the --data_length option.  So a
pingscan like "nmap --data_length 40 -sP" would not
trigger an alert.  This is a new feature of Nmap 2.54BETA31, which was
released yesterday at http://www.insecure.org/nmap/ .


More information about the Snort-users mailing list