Nmap Development mailing list archives
Re: [Branch] --ignore-after
From: Jay Bosamiya <jaybosamiya () gmail com>
Date: Mon, 18 Aug 2014 18:00:49 +0530
On Sunday 17 August 2014 11:41 AM, Fyodor wrote:
Here it is only 3 days later and I'm already second guessing myself :). I'm starting to think that "50%,80" would be better for -T4. That way, for -F, we'd only ignore if at least 80 ports were open. And for a default (1,000 port) scan, we'd only skip if 500 or more were open. I think 500 open ports out of 1,000 is not a normal system and doing version detection and NSE against all those will likely waste a lot of time. For -T5, maybe a "40%,60" threshold would be good. Right now, in the nmap-exp branch, -T4 gives "90%,90" and -T5 gives "80%,80". This means, even with -T5, an all-ports scan ("-p-") would require 52,428 open ports before bailing. With "40%,60", we could quit sooner--after 26,214 open ports found. And for a default (ports) scan, we could move on after 400 open instead of waiting for 800. Cheers, Fyodor
I've been confused about the constants ever since I initially put them in. Over time, I've been wanting to keep reducing the constants. I think that the only way we are going to be able to decide on good values is if we can decide upon what is the "normal" number of open ports and what is not. For the min open ports (the num part of "per%,num"), I think that 80 for -T4 and 60 for -T5 makes sense. However, I'd suggest dropping the percentage part even further. For a default scan (1000 port), more than 100 open ports is not "normal" IMHO. When we go into all-ports scan, waiting even until 26,214 too seems unneeded. I've yet to come across a "normal" system with more than 50 open ports. However, people who've been using Nmap for longer than I have might be able to give a better insight into this. Currently, I propose -T4 = "10%,80", -T5 = "5%,60" This would work this way Number of ports scanned Number of ports after which to ignore (for -T4) Number of ports after which to ignore (for -T5) Fast scan "-F" 100 80 60 Default Scan 1000 100 60 All port scan "-p-" 65,535 6,554 3,277 What do you all think? Cheers, Jay _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [Branch] --ignore-after Jay Bosamiya (Jul 30)
- Re: [Branch] --ignore-after Jacek Wielemborek (Jul 30)
- Re: [Branch] --ignore-after Jay Bosamiya (Jul 30)
- Re: [Branch] --ignore-after Fyodor (Aug 13)
- Re: [Branch] --ignore-after Fyodor (Aug 16)
- Re: [Branch] --ignore-after Jay Bosamiya (Aug 18)
- Re: [Branch] --ignore-after Daniel Miller (Sep 17)
- Re: [Branch] --ignore-after Jay Bosamiya (Sep 18)
- Re: [Branch] --ignore-after Daniel Miller (Sep 18)
- Re: [Branch] --ignore-after Fyodor (Aug 16)
- Re: [Branch] --ignore-after Jacek Wielemborek (Jul 30)