Home page logo
/

Nmap Announce mailing list archives

Re: Intrusion detection question.
From: Michel Arboi <arboi () bigfoot com>
Date: 10 Feb 2000 09:51:15 +0100

"Daniel Swan" <swan_daniel () my-Deja com> writes:

The best example is a source port of 61000-650096 (Possible linux
masquerading box)

Well, a masquerading Linux box will announce its OS like this, but a
BSD with IP Filter could mimick it:
        map ppp0 10.0.0.0/8 -> ppp0/32 portmap tcp/udp 61000:65095

I am wondering if there are any other rules of 
thumb, or even a canonical list of what we can tell from source
port.  

A couple of ideas:
- are there different allocation algorithms for source ports? 
e.g., first free port above 1023, or random free port above 1023...
- when will a TCP port be reused once the connection is closed? 

-- 
mailto:arboi () bigfoot com     http://www.bigfoot.com/~arboi/
GPG Public keys: http://www.bigfoot.com/~arboi/pubkey.txt



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]