Home page logo

Nmap Announce mailing list archives

Intrusion detection question.
From: "Daniel Swan" <swan_daniel () my-Deja com>
Date: Wed, 09 Feb 2000 14:17:53 -0800

I know this is slightly off topic, but there is a high degree of ID talent on this list, and I havn't been able get any 
answers elsewhere.

Question:  Sometimes the source port of a scan 
gives a clue as to the tool used to scan.  The best example is a source port of 61000-650096 (Possible linux 
masquerading box).  I am wondering if there are any other rules of thumb, or even a canonical list of what we can tell 
from source port.

(Mundane stuff like SMB and FTP doesn't count!  I'm more interested in esoteric stuff like tools and OS's.)


Ps.  FYI, I saw in one of the security NG's today that a Linux kernel patch has been released that is designed to 
confuse fingerprinting.

--== Sent via Deja.com http://www.deja.com/ ==--
Share what you know. Learn what you don't.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]