Re: Nmap's default ports

[Brandon Enright <bmenrigh () ucsd edu>]

On Sun, 2006-07-30 at 14:08 +0200, 4N9e Gutek wrote:
> Hi
>
> In order to monitor this kind of popularity, why not
> considering the SANS classification ?
>
> http://isc.sans.org/port_report.php?date=2006-07-30&&s=sources&a=0&l=20&d=desc
>
> Cheers,
>
> --
> Gutek.
> mailto: 4N9e[at]futurezone[dot]biz

My experience from the SANS data is that a lot of it is collected from
firewall logs on dynamic IPs or from NATd networks so lot of it is
tainted by P2P afterglow.

Also, the data is passively collected based on what is being scanned on
contributor's machines, not what is likely to be open on a target
machine.

For example, port 1026/UDP is the top port -- not because it is the
*most* common but because if you want to send Microsoft Messenger
Service spam it is one of the ports to use.

Or take the second port on the list 4672/TCP -- used by eDonkey clones.
There aren't really 43071 different people scanning that port.  It is up
there because there are enough people who have inherited a dynamic IP
from a former eDonkey user or people who have their NAT setup wrong so
that the data is skewed.

The SANS data is great but is just isn't the right data for this
purpose.

Brandon

-- 
Brandon Enright
Network Security Analyst
UCSD ACS/Network Operations
bmenrigh () ucsd edu



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev