Re: nmap-services frequency calculation

[Daniel Miller <bonsaiviking () gmail com>]

Tod,

The frequencies were derived from large-scale full-port scanning of the
Internet and some internal networks. It is starting to show its age, as we
have had to manually tune for new services (mbap, murmur, docker,
memcachedb, dropbox, etc.). Updating this data with new scans is a goal for
the project that will probably be accomplished in 2016.

The actual number is calculated with some internal scripts, by counting the
number of hosts with the port open and dividing by the number of hosts
where that port was scanned, after rejecting some statistical outliers
(like hosts that are spoofing all ports open, hosts with no open ports,
etc.).

Dan

On Fri, Apr 22, 2016 at 3:24 PM, Tod Beardsley <todb () packetfu com> wrote:

> Hi list -- how is/was the frequency calculation derived in nmap-services?
> The docs at https://nmap.org/book/nmap-services.html don't seem to talk
> about this.
>
> I'm working on a project that involves counting a bunch of endpoints, and
> I'd like to reference the nmap-services count, and just looking for a
> little background on how it was created.
>
> Direct replies are more than welcome. Thanks!
>
> --
> "Tod Beardsley" <todb () packetfu com>
> https://keybase.io/todb
>
> _______________________________________________
> Sent through the dev mailing list
> https://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/