Re: quake3 opportunistic portrule

[David Fifield <david () bamsoftware com>]

On Sat, Jan 01, 2011 at 01:41:43PM +0200, Toni Ruottu wrote:
> One more time. This takes into account servers advertised at
> dpmaster.deathmask.net. I commented that out while debugging the new
> code, and only remembered it afterwards. The previous results used
> only master.quake3arena.com, while the first flawed scan included
> servers from both meta servers.
>
> 14445: 275
> 14701: 49
> 14957: 33
> 15213: 16
> 15725: 14
> 17005: 13
> 15469: 12
> 19565: 8
> 17517: 8

I read your later message that the ports are byte-swapped. Unswapping
them results in

27960: 275
27961: 49
27962: 33
27963: 16
27965: 14
27970: 13
27964: 12
27980: 8
27972: 8
27966: 8
27015: 7
27971: 7
27969: 6
27967: 6
26000: 4
28000: 4
27973: 4
27968: 4
27100: 3
27300: 3
...

It looks like the portrule should contain ports 27960-27965 at least. I
would probably expand that to 27960-27970. The Quake3_getstatus probe in
nmap-service-probes currently uses 27960-27964, as does the UDP payload
in nmap-payloads.

But the portrule doesn't have to be expansive in port numbers. People
should run your script in conjunction with version detection. We have
lots of match lines for quake3 servers. Just have the portrule return
true if it's one of a few known ports or the service is "quake3".

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/