Nmap Announce mailing list archives

Re: Intrusion detection question.

From: Michel Arboi <arboi () bigfoot com>
Date: 10 Feb 2000 09:51:15 +0100

"Daniel Swan" <swan_daniel () my-Deja com> writes:

The best example is a source port of 61000-650096 (Possible linux
masquerading box)


Well, a masquerading Linux box will announce its OS like this, but a
BSD with IP Filter could mimick it:
        map ppp0 10.0.0.0/8 -> ppp0/32 portmap tcp/udp 61000:65095

I am wondering if there are any other rules of 
thumb, or even a canonical list of what we can tell from source
port.


A couple of ideas:
- are there different allocation algorithms for source ports? 
e.g., first free port above 1023, or random free port above 1023...
- when will a TCP port be reused once the connection is closed? 

-- 
mailto:arboi () bigfoot com     http://www.bigfoot.com/~arboi/
GPG Public keys: http://www.bigfoot.com/~arboi/pubkey.txt

Current thread:

Intrusion detection question. Daniel Swan (Feb 09)
- Re: Intrusion detection question. Vanja Hrustic (Feb 09)
  - Re: Intrusion detection question. Jose Nazario (Feb 10)
  - fooling nmap Bep Verberk (Feb 10)
    - Re: fooling nmap Lance Spitzner (Feb 10)
    - Re: fooling nmap CyberPsychotic (Feb 11)
    - Re: fooling nmap Vanja Hrustic (Feb 11)
    - Re: fooling nmap The Cyberiad (Feb 11)
- Re: Intrusion detection question. Michel Arboi (Feb 10)
  - Re: Intrusion detection question. Tomi Ollila (Feb 10)
    - Re: Intrusion detection question. Michel Arboi (Feb 14)
    - Re: Intrusion detection question. Tomi Ollila (Feb 21)
  - Re: Intrusion detection question. Bart van Leeuwen (Feb 10)