Detect NMAP using its ports #1179
Conversation
7160f0d to
0f864b0
Compare
|
One question when merging records: what would happen if we merge a record with Nmap top 1k ports with another record with 1000 other (say, random) ports? Would we remove the Nmap tag? |
|
AFAIK, the merge functions never remove tags. |
|
That's what I understand too. Don't you think the tag should be removed in such situations? |
|
If there is a record that contains by itself 1k Nmap ports, wouldn't it make sense to consider that it was scanned? |
|
Such records would always come from passive records, which only contain one port per record. So if, by chance, there is a moment where the record contains the top 1k ports, and then more ports are added, the resulting I think the resulting host should not have the Nmap tag. |
0f864b0 to
ebf6508
Compare
|
Hi @gpotter2, You should run For the MongoDB failures, they do not come from your code, and have been fixed in #1248 (newer version of PyMongo no longer supports APIs that were used in IVRE). Just rebase your code against current master and everything should be fine. Thanks! |
989b92b to
8d76713
Compare
| # the list of ports scanned by default by a scanner, assume it | ||
| # is. | ||
| for (dports, scanner_name) in DEFAULT_SCANNED_PORTS.get(proto, []): | ||
| if scanner_name not in res.get("scanners", []): |
There was a problem hiding this comment.
Maybe you could remove this test, since you use res.setdefault("scanners", {}).setdefault(scanner_name, set()).add(...)
There was a problem hiding this comment.
If I read the code correctly, that's necessary to not re-add the value to the set (in the add()) if it exists.
|
Really sorry for the delay |
part of #1175
This PR: