Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: quake3 opportunistic portrule

From: Toni Ruottu <toni.ruottu () iki fi>
Date: Sat, 1 Jan 2011 21:30:16 +0200
Oh dear, this is starting to feel like a comedy. I read the port bytes
in wrong order so all the port numbers in my results are wrong. The
distribution is still correct though. I made some architectural
changes to my scripts so it will take a while before I can redo the
scanning. This should not affect my original question about defining
opportunistic portrules. I still do not know what to do with that one.

  sorry about spamming the list with faulty results, --Toni

On Sat, Jan 1, 2011 at 1:41 PM, Toni Ruottu <toni.ruottu () iki fi> wrote:

One more time. This takes into account servers advertised at
dpmaster.deathmask.net. I commented that out while debugging the new
code, and only remembered it afterwards. The previous results used
only master.quake3arena.com, while the first flawed scan included
servers from both meta servers.

14445: 275
14701: 49
14957: 33
15213: 16
15725: 14
17005: 13
15469: 12
19565: 8
17517: 8
15981: 8
34665: 7
17261: 7
16749: 6
16237: 6
36965: 4
24685: 4
17773: 4
16493: 4
56425: 3
42090: 3
30825: 3
22125: 3
18285: 3
18029: 3
16490: 3
12405: 3
11885: 3
54380: 2
53360: 2
50538: 2
33385: 2
28845: 2
19821: 2
18541: 2
14451: 2
13165: 2
9325: 2
8305: 2
2155: 2
2130: 2
64620: 1
62060: 1
61525: 1
61300: 1
61214: 1
61168: 1
60644: 1
59876: 1
59592: 1
59497: 1
59120: 1
59094: 1
59081: 1
58985: 1
58217: 1
57829: 1
57277: 1
56813: 1
56462: 1
55536: 1
55410: 1
53589: 1
53355: 1
53191: 1
53078: 1
52855: 1
52821: 1
52620: 1
51824: 1
51568: 1
51312: 1
51285: 1
51187: 1
49245: 1
49008: 1
48945: 1
48752: 1
47564: 1
47332: 1
47240: 1
46945: 1
46820: 1
46296: 1
45134: 1
44744: 1
43630: 1
43105: 1
41587: 1
41143: 1
41075: 1
40805: 1
40394: 1
40152: 1
40131: 1
39790: 1
39671: 1
39426: 1
39020: 1
38879: 1
38595: 1
37748: 1
36979: 1
36573: 1
36068: 1
35689: 1
35556: 1
35267: 1
35177: 1
33645: 1
33387: 1
33131: 1
32617: 1
31683: 1
31405: 1
31081: 1
29101: 1
28178: 1
28052: 1
27755: 1
27002: 1
26737: 1
26480: 1
26411: 1
26111: 1
25965: 1
25065: 1
24941: 1
24862: 1
24635: 1
24429: 1
23405: 1
23149: 1
23102: 1
22637: 1
22474: 1
20845: 1
20585: 1
19655: 1
18797: 1
18581: 1
18545: 1
18510: 1
17391: 1
16415: 1
14738: 1
14597: 1
14207: 1
13698: 1
13421: 1
13420: 1
12672: 1
12141: 1
11700: 1
9933: 1
8739: 1
8053: 1
7797: 1
7285: 1
6885: 1
6765: 1
5654: 1
5537: 1
4716: 1
4213: 1
4205: 1
3825: 1
3180: 1
1645: 1
1396: 1
1220: 1
1140: 1
555: 1
4: 1
0: 1

On Sat, Jan 1, 2011 at 1:34 PM, Toni Ruottu <toni.ruottu () iki fi> wrote:

The previous port popularity had dupes in it. I wrote the code for
dropping duplicates today, and made another scan with the new code.
Here are the results:




On Fri, Dec 31, 2010 at 11:18 AM, Toni Ruottu <toni.ruottu () iki fi> wrote:

On another thread, I was discussing precise scanning of publicly
advertised quake3 servers. The other part of the story involves
detecting and scanning quake3 servers upon stumbling on an open port
during a regular port scan. It seems there is no ultimate default port
for running a quake3 server. However, some ports are more common,
presumably some of them are default configurations of some server
software. Below are some statistics I gathered today regarding the
amount of servers using a specific port number. Now the open question
is, which port numbers should I include in the port rule? The options
might include 1) all of the ports 2) anything used more than once 3)
anything used more than, say 10 times 4) top-3 5) only 14445 6) none

 what do you think?, --Toni





_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: