Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Nmap
Special Forums Cybersecurity Nmap Post 17638 by thomas.jones on Monday 18th of March 2002 09:51:44 PM
Old 03-18-2002
A possible solution is that while performing a single port scan you are getting a correct response from an "active" or open port.

Now under a full 65535 port scan you are pushing alot of packets! You hadn't stated your time frequency of datagram submittal...but with an educated guess......i'd say that you are pumping them out as quick as possible.

When a system is under a pretty heavy load...the stack gets a bit quirky. Thus the inconsistent recognitions.....i.e...a "filtered" state.

Especially when your only traversing a portion of your TCP/IP stack, and not the whole OSI model.

Have you reviewed RFC 793 (Transmission Control Protocol) for valid responses? I suggest capturing packets to verify your systems responses.

HTH.
 

10 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

nmap results

Hi, Whenever I tried to run nmap on my linux (red hat 6.2) boxes i got these outputs: 4444/tcp filtered krb524 6666/tcp filtered irc-serv 6699/tcp filtered napster 8888/tcp filtered sun-answerbook Can anybody please... (10 Replies)
Discussion started by: necro
10 Replies

2. Shell Programming and Scripting

Nmap PHP FE

Hi everyone! I've temporarily come out of hibernation (and will be gone for about two weeks after this post too) to ask for input on a small PHP script I have just completed. The script aims to be a remote front-end for Nmap - now for the safety of this post, I ask that any replies refrain from... (6 Replies)
Discussion started by: Karma
6 Replies

3. AIX

nmap on aix 5.2

I'm trying to compile nmap 4.11 on an aix 5.2 machine and get the following error when attempting the 'make' command; make "Makefile", line 1: make: 1254-055 Dependency line needs colon or double colon operator. "Makefile", line 14: make: 1254-055 Dependency line needs colon or double colon... (2 Replies)
Discussion started by: zuessh
2 Replies

4. Red Hat

To change of port name in nmap

Hi, Is it possible to change the nmap port name: For eg: 21/tcp open ftp 53/tcp open domain 80/tcp open http 111/tcp open rpcbind 836/tcp open unknown 843/tcp open unknown 953/tcp open rndc I need to change the port number 836 unknown to the name of the... (4 Replies)
Discussion started by: gsiva
4 Replies

5. Shell Programming and Scripting

FTP/nmap/.netrc

So... I'm trying to script and FTP Backup of some files from openVMS Alpha machine to a Unixware 7 machine. I decided to use .netrc to do all the FTP actions however when I send the nmap command. It pretty much gets ignored while even other things such "ascii", "case" etc.. get respected... (0 Replies)
Discussion started by: thesubmitter
0 Replies

6. Solaris

Nmap error

I 'm getting following error when i run nmap for an ip .. what could be the reason for it ? #nmap 10.22.67.18 Starting Nmap 4.68 ( Nmap - Free Security Scanner For Network Exploration & Security Audits. ) at 2009-07-06 19:07 UTC Warning: Unable to open interface e1000g3301000 -- skipping it.... (2 Replies)
Discussion started by: fugitive
2 Replies

7. Linux

nmap binaries for linux

Hi , I am exploring the nmap utility for Linux. I know that, nmap binaries are specific to the platforms e.g. nmap binaries will be diferent for Windows , AIX , Solaris and Linux platforms. Can anyone tell me , will the nmap binaries be different for different flavours of Linux such as... (1 Reply)
Discussion started by: jatin56
1 Replies

8. Cybersecurity

Help with NMAP

I'm seeing a persistent address showing up on my firewall router logs. The address is 10.98.115.9:67, and is broadcasting to 255.255.255.255. I know that this would typically signal a BOOTP service, such as a bootp server announcing itself on the network. But I can't isolate which machine it... (3 Replies)
Discussion started by: renoir611
3 Replies

9. Shell Programming and Scripting

How to scan IP range using nmap?

Scripting language : Bash Shell Script I have to create function in which read IP addresses one by one from one file (ip.txt) and scan these IP using nmap. (4 Replies)
Discussion started by: sk151993
4 Replies

10. Homework & Coursework Questions

How to scan IP range using nmap?

Scripting language : Bash Shell Script 1. problem statement I have to create function in which read IP addresses one by one from one file (iplist.txt) and scan these IP using nmap. This scan IP's output is saved in output.txt file and parse output.txt to save only open ports with particular IP... (3 Replies)
Discussion started by: sk151993
3 Replies

LEARN ABOUT DEBIAN

scanlogd

SCANLOGD(8)						       System Administration						       SCANLOGD(8)

NAME

       scanlogd - detects and logs TCP port scans

SYNOPSIS

       scanlogd

DESCRIPTION

       scanlogd detects port scans and writes one line per scan via the syslog(3) mechanism. If a source address sends multiple packets to differ-
       ent ports in a short time, the event will be logged. The format of the messages is:

       saddr[:sport] to daddr [and others,] ports port[, port...], ..., flags[, TOS TOS][, TTL TTL] @HH:MM:SS

       The fields in square brackets are optional; sport, TOS, and TTL will only be displayed if they were constant during the scan.

       The flags field represents TCP control bits seen in packets coming to the system from the address of the scan. It is a combination of eight
       characters,  with  each	corresponding  to  one	of the six defined and two reserved TCP control bits (see RFC 793). Control bits that were
       always set are encoded with an uppercase letter, and a lowercase letter is used if the bit was always clear. A question	mark  is  used	to
       indicate bits that changed from packet to packet.

INTERFACES

       In  order  to  do  its  job, scanlogd needs a way to obtain raw IP packets that either come to the system scanlogd is running on, or travel
       across a network segment that is directly connected to the system. Current versions of scanlogd can be built with support for one  of  sev-
       eral packet capture interfaces.

       scanlogd is aware of the raw socket interface on Linux, libnids, and libpcap.

       The  use of libpcap alone is discouraged. If you're on a system other than Linux and/or want to monitor the traffic of an entire network at
       once, you should be using libnids in order to handle fragmented IP packets.

COMPILE-TIME DEFAULTS
       At least 7 different privileged or 21 non-privileged ports, or a weighted combination of those, have to be accessed with no longer  than  3
       seconds	between  the accesses to be treated as a scan.	If more than 5 scans are detected within 20 seconds, that event will be logged and
       logging will be stopped temporarily.

       Logging is done with a facility of daemon and a priority level alert.

       scanlogd should be started as root since it needs access to a packet capture interface.	By default, it chroots to /var/empty and  switches
       to running as user scanlogd after the packet capture interface is initialized.

EXIT STATUS

       If the daemon couldn't start up successfully, it will exit with a status of 1.

USAGE

       You're expected to create a dummy user for scanlogd to run as. Make sure you allocate unique UID and GID to the user.

       In most cases, scanlogd should be started from a rc.d script on system startup.

       In /etc/syslog.conf you may use something like:

       daemon.alert   /var/log/alert

SECURITY NOTES

       As  the name indicates, scanlogd only logs port scans.  It does not prevent them.  You will only receive summarized information in the sys-
       tem's log.

       Obviously, the source address of port scans can be spoofed.  Don't take any action against the source of attacks unless other  evidence	is
       available.  Sometimes IP addresses are shared between many people; this is the case for ISP shell servers, dynamic dialup pools, and corpo-
       rate networks behind NAT (masquerading).

BUGS

       Due to the nature of port scans, both false positives (detecting a scan when there isn't one) and false negatives  (not	detecting  a  scan
       when there's one) are possible. In particular, false positives occur when many small files are transferred rapidly with passive mode FTP.

AUTHORS

       Solar Designer <solar at openwall.com>
       Steffen Dettmer <steffen at dett.de> wrote the initial version of this manual page.

SEE ALSO

       syslog(3), syslog.conf(5), libnids(3), pcap(3)
       scanlogd home page: http://www.openwall.com/scanlogd/
       Phrack Magazine, issue 53, article 13

Openwall Project						    2 June 2004 						       SCANLOGD(8)
All times are GMT -4. The time now is 10:11 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy