|
Nmap Hackers
mailing list archives
Re: Intrusion detection question.
From: Michel Arboi <arboi () bigfoot com>
Date: 10 Feb 2000 09:51:15 +0100
"Daniel Swan" <swan_daniel () my-Deja com> writes:
The best example is a source port of 61000-650096 (Possible linux
masquerading box)
Well, a masquerading Linux box will announce its OS like this, but a
BSD with IP Filter could mimick it:
map ppp0 10.0.0.0/8 -> ppp0/32 portmap tcp/udp 61000:65095
I am wondering if there are any other rules of
thumb, or even a canonical list of what we can tell from source
port.
A couple of ideas:
- are there different allocation algorithms for source ports?
e.g., first free port above 1023, or random free port above 1023...
- when will a TCP port be reused once the connection is closed?
--
mailto:arboi () bigfoot com http://www.bigfoot.com/~arboi/
GPG Public keys: http://www.bigfoot.com/~arboi/pubkey.txt
 By Date 
By Thread
Current thread:
- fooling nmap, (continued)
Re: Intrusion detection question. Michel Arboi (Feb 10)
Re: Intrusion detection question. Bart van Leeuwen (Feb 10)
| 
Intro
