RE: Data Interpretation

On 2009-03-17 David Gillett wrote:
Neither of these things is happening, and nmap can't tell why not.
SOMETHING must be listening, since no ICMP packet was
received back,
but clearly it's not a normal process. The most likely scenario is
that a firewall or other security measure is dropping the
SYN packet
without deigning to respond.

Packet filters aren't really listening (at least not in the
TCP sense of the word).

Agreed, although I'd say that this is closer to the English definition
of listen than the TCP sense which carries additional implications.

This is, in fact, exactly what you want.

I have to disagree. What you actually want in a situation
like that is the firewall to respond with a RST.

I'm aware of arguments for and against sending an RST; I considered
them beyond the scope of the present question. But certainly if these
services were merely unsupported and not actively hostile, sending an
RST would be the correct and polite thing to do.
And that would tell nmap that the port was actively being blocked....

David Gillett

This list is sponsored by: InfoSec Institute

Find the source of cybercrime! Almost every crime today involves a computer or mobile device. Learn how to become a Computer Forensics Examiner in InfoSec Institute's hands-on Computer Forensics Course. Up to three industry recognized certs available, online computer forensics training available.

Relevant Pages

  • Re: Data Interpretation
    ... SOMETHING must be listening, since no ICMP packet was received back, ... The most likely scenario is ... the firewall to respond with a RST. ...
  • Re: Kerio PFW 2.14 - Safe?
    ... >> down user interface. ... Then consider the fact that most packet ... If Kerio 'X' says it's stateful it most ... >> way to know for sure would be to stand between the firewall and the ...
  • Re: opening ports
    ... If a service is listening but blocked by a firewall, ... If it's listening and not blocked, ... FTP is an evil protocol that has many traps. ... Basically when a client switches to passive mode, the FTP server ...
  • Re: Firewall questions -- what is ...?
    ... packet payload inspection. ... IDS is not a firewall and does not necessarily protect you. ... port number for a well known service and the destination port is above 1023, ... Firewalls and IDS are prone to frequent false alarms. ...
  • Re: Can I protect myself against network attacks?
    ... I consider the SP2 PFW "half a firewall", and many I've read say it ... or listening in, and no virus or trojans from a system scan via KAV. ... After all, the attacks did ...