Re: portspoof IDS trouble

[Fyodor <fyodor () nmap org>]

On Tue, Jun 24, 2014 at 6:53 AM, Jay Bosamiya <jaybosamiya () gmail com> wrote:
> I wrote a patch (attached) that does this. Using --forget-after X makes
> Nmap forget any host that has more than X open ports.
> This patch may need improvement and testing before it can be considered
> for inclusion and so I have marked the option as experimental.
> However, I am posting this since Andrew (and others who come across
> hosts with portspoof) might find this useful.

Thanks Jay.  It's hard to win an arms race with programs like Portspoof
that try to fool Nmap, but hardly anyone ever uses them anyway.  However, I
see all-open behavior like this from many of my large scale scans due to
SSL accelerators, load balancers, various proxies, and other network
equipment.  It can be annoying when you scan millions of addresses and then
look to find hosts with an obscure port open, only to find the results
dominated by these false positives.

One problem with adding yet another obscure Nmap performance option is that
hardly anyone will ever use it.  It is usually better to focus on
improvements which affect more users.  However, if done properly, this
feature might be worthwhile as the default for the more aggressive scans
like -T4 and -T5.  After all, it's not much different than including a host
timeout in those scans (which we do).

So let's think about what we might want if we were to make this feature a
-T4 default.  Well, we can't just go with a total number of open ports,
since that's not fair when comparing a five-port scan (where no more than
five can obviously be open) and a 65,535 port scan of a busy server.  But
we can't just rely on a percentage either.  Even if we say "only forget
when 100% of the ports are open", that's not appropriate if you only
scanned 5 common ports.  -T5 would use either that or a more restrictive
value.  If a percentage is given, we would need to continue scanning until
we have enough open ports that reaching the specified limit is guaranteed
even if all the rest of the ports to be scanned prove closed.

Rather, we should probably be able to specify both.  So we would only
forget the host if at least X% of the ports in a protocol are open, and
that constitutes at least Y total.  So for -T4, maybe we'd say at least 50%
ports open AND that it is at least 100 ports total.  Maybe the syntax could
be like "--forget-after 50%,100" and you could specify either a percentage
or a total number or both.  I feel like maybe we could think of a better
name than --forget-after, but none come to mind immediately.

Even if we make this a -T4/-T5 default, we would want to provide the option
so people can override it if desired.  If you are only scanning like 5
ports and want to be sure to block these all-open machines, you'd probably
pick a random port like 22794 to add to your scan list and then specify
"--forget-after 6" or (same effect) "--forget-after 100%" to exclude the
machines with all 5 real ports, plus the highly unlikely port open.  There
would need to be an option to tell Nmap not to ever skip hosts based on
open port count.  Maybe "--forget-hosts -" or --dont-forget-hosts or
something.

As Henri notes, the output should tell you which hosts were skipped for
this reason.  That way you can still find and probe those hosts, but you
don't have a giant 65K-line entry in your log file and your searches for
individual open ports are not polluted with these.

Also, the feature would have to be documented.

Cheers,
Fyodor
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/