Nmap Development mailing list archives
Re: Nmap's default ports
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Sun, 30 Jul 2006 18:31:41 +0000
On Sun, 2006-07-30 at 14:08 +0200, 4N9e Gutek wrote:
Hi In order to monitor this kind of popularity, why not considering the SANS classification ? http://isc.sans.org/port_report.php?date=2006-07-30&&s=sources&a=0&l=20&d=desc Cheers, -- Gutek. mailto: 4N9e[at]futurezone[dot]biz
My experience from the SANS data is that a lot of it is collected from firewall logs on dynamic IPs or from NATd networks so lot of it is tainted by P2P afterglow. Also, the data is passively collected based on what is being scanned on contributor's machines, not what is likely to be open on a target machine. For example, port 1026/UDP is the top port -- not because it is the *most* common but because if you want to send Microsoft Messenger Service spam it is one of the ports to use. Or take the second port on the list 4672/TCP -- used by eDonkey clones. There aren't really 43071 different people scanning that port. It is up there because there are enough people who have inherited a dynamic IP from a former eDonkey user or people who have their NAT setup wrong so that the data is skewed. The SANS data is great but is just isn't the right data for this purpose. Brandon -- Brandon Enright Network Security Analyst UCSD ACS/Network Operations bmenrigh () ucsd edu _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
Current thread:
- Nmap's default ports doug (Jul 30)
- Re: Nmap's default ports Fyodor (Jul 30)
- <Possible follow-ups>
- Nmap's default ports 4N9e Gutek (Jul 30)
- Re: Nmap's default ports Thierry Zoller (Jul 30)
- Re: Nmap's default ports Brandon Enright (Jul 30)