Nmap Announce mailing list archives

Intrusion detection question.

From: "Daniel Swan" <swan_daniel () my-Deja com>
Date: Wed, 09 Feb 2000 14:17:53 -0800

I know this is slightly off topic, but there is a high degree of ID talent on this list, and I havn't been able get any 
answers elsewhere.

Question:  Sometimes the source port of a scan 
gives a clue as to the tool used to scan.  The best example is a source port of 61000-650096 (Possible linux 
masquerading box).  I am wondering if there are any other rules of thumb, or even a canonical list of what we can tell 
from source port.

(Mundane stuff like SMB and FTP doesn't count!  I'm more interested in esoteric stuff like tools and OS's.)

Thanks, 
Dan.

Ps.  FYI, I saw in one of the security NG's today that a Linux kernel patch has been released that is designed to 
confuse fingerprinting.



--== Sent via Deja.com http://www.deja.com/ ==--
Share what you know. Learn what you don't.

Current thread:

Intrusion detection question. Daniel Swan (Feb 09)
- Re: Intrusion detection question. Vanja Hrustic (Feb 09)
  - Re: Intrusion detection question. Jose Nazario (Feb 10)
  - fooling nmap Bep Verberk (Feb 10)
    - Re: fooling nmap Lance Spitzner (Feb 10)
    - Re: fooling nmap CyberPsychotic (Feb 11)
    - Re: fooling nmap Vanja Hrustic (Feb 11)
    - Re: fooling nmap The Cyberiad (Feb 11)
- Re: Intrusion detection question. Michel Arboi (Feb 10)
  - Re: Intrusion detection question. Tomi Ollila (Feb 10)
    - Re: Intrusion detection question. Michel Arboi (Feb 14)

(Thread continues...)