Re: Major SIPOptions probe reorganisation

[Fyodor <fyodor () insecure org>]

On Thu, Jun 19, 2008 at 10:31:13PM -0700, doug () hcsw org wrote:
> On second thought, maybe moving the probe up isn't a good idea
> since it has a rarity of 5. This means that SIPOptions will be
> applied before GetRequest on unknown ports which probably is
> undesirable. I can think of two fixes:

Hi Doug.  I'm glad to see all the improvements to nmap-service-probes.
I agree with your point that having SIPOptions applied before
GetRequest for unknown ports is undesirable.

> * Move SIPOptions back down and just let GetRequest be applied
>   to 5060 before SIPOptions

Sounds like a reasonable option.

> * Boost the rarity of SIPOptions

Is SIP ever found on ports 5060?  In other words, is it a service like
SMTP which is almost always found on the same port for the protocol to
work properly, or more like http which you find all over the place?
If it is almost always on 5060 (or a discrete set of ports we can
list), then boosting the rarity sounds like a reasonable option.  I
think it is an important and growing protocol though, so we shouldn't
boost the rarity if it will cause a lot of misses.

Cheers,
-F

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org