Re: Trend Micro OfficeScan service fingerprint

[doug () hcsw org]

Hi Tom,

On Sun, Dec 30, 2007 at 07:38:49AM -0600 or thereabouts, Tom Sellers wrote:
> OfficeScan 6.x and 7.x listen on port 12345 so the probe should detect them.
> OfficeScan 8.x uses a random port on the client.  What are the benefits of
> limiting the fingerprint to port 12345?

The ports directive in a probe is more of a "commonly
seen ports" list. In this case, it will ensure that
the OfficeScan probe is applied second (after Help,
which also lists 12345) so hopefully the scan should
be faster. Also, I am under the impression that
OfficeScan is fairly rare meaning that we probably
don't want to apply this port against every service,
slowing down all scans. You can change this behaviour
by using "--version-intensity 9" to make sure that
every probe is applied to every service.

That is a shame that OfficeScan 8.x uses a random port...
Hopefully the NULL fallback will catch (some?) of those
clients.

Best,

Doug

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org