Nmap Announce mailing list archives
Re: Intrusion detection question.
From: Michel Arboi <arboi () bigfoot com>
Date: 10 Feb 2000 09:51:15 +0100
"Daniel Swan" <swan_daniel () my-Deja com> writes:
The best example is a source port of 61000-650096 (Possible linux masquerading box)
Well, a masquerading Linux box will announce its OS like this, but a BSD with IP Filter could mimick it: map ppp0 10.0.0.0/8 -> ppp0/32 portmap tcp/udp 61000:65095
I am wondering if there are any other rules of thumb, or even a canonical list of what we can tell from source port.
A couple of ideas: - are there different allocation algorithms for source ports? e.g., first free port above 1023, or random free port above 1023... - when will a TCP port be reused once the connection is closed? -- mailto:arboi () bigfoot com http://www.bigfoot.com/~arboi/ GPG Public keys: http://www.bigfoot.com/~arboi/pubkey.txt
Current thread:
- Intrusion detection question. Daniel Swan (Feb 09)
- Re: Intrusion detection question. Vanja Hrustic (Feb 09)
- Re: Intrusion detection question. Jose Nazario (Feb 10)
- fooling nmap Bep Verberk (Feb 10)
- Re: fooling nmap Lance Spitzner (Feb 10)
- Re: fooling nmap CyberPsychotic (Feb 11)
- Re: fooling nmap Vanja Hrustic (Feb 11)
- Re: fooling nmap The Cyberiad (Feb 11)
- Re: Intrusion detection question. Vanja Hrustic (Feb 09)
- Re: Intrusion detection question. Tomi Ollila (Feb 10)
- Re: Intrusion detection question. Michel Arboi (Feb 14)
- Re: Intrusion detection question. Tomi Ollila (Feb 21)