Re: [Branch] --ignore-after

[Fyodor <fyodor () nmap org>]

On Wed, Aug 13, 2014 at 6:52 PM, Fyodor <fyodor () nmap org> wrote:

> On Wed, Jul 30, 2014 at 5:12 AM, Jay Bosamiya <jaybosamiya () gmail com>
> wrote:
>
> I think "80%,80" would be good for -T4.  The "60%,60" value for -T5 sounds
> good to me.

Here it is only 3 days later and I'm already second guessing myself :).
 I'm starting to think that "50%,80" would be better for -T4.  That way,
for -F, we'd only ignore if at least 80 ports were open.  And for a default
(1,000 port) scan, we'd only skip if 500 or more were open.  I think 500
open ports out of 1,000 is not a normal system and doing version detection
and NSE against all those will likely waste a lot of time.

For -T5, maybe a "40%,60" threshold would be good.

Right now, in the nmap-exp branch, -T4 gives "90%,90" and -T5 gives
"80%,80".  This means, even with -T5, an all-ports scan ("-p-") would
require 52,428 open ports before bailing.  With "40%,60", we could quit
sooner--after 26,214 open ports found.  And for a default (ports) scan, we
could move on after 400 open instead of waiting for 800.

Cheers,
Fyodor
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/