Mike Shaw <mshaw@wwisp.com> writes:
> It's pretty hard to detect trojan horses purely by port numbers.
Better than nothing?
> You'll get so many false positives that you'll eventually miss
> something.
Well, if we look only at *unknown* services, that's better.
The problem is there is currently no easy way to remove a port from
the "Services/unknown" list. NASL should be extended for this.
Then trojan_horses.nasl should run after all other ACT_GATHER_INFO
scripts...
> Plus, some trojans can use any port.
I know.
Here is an experimental script anyway.
> It's pretty hard to detect trojan horses purely by port numbers.
Better than nothing?
> You'll get so many false positives that you'll eventually miss
> something.
Well, if we look only at *unknown* services, that's better.
The problem is there is currently no easy way to remove a port from
the "Services/unknown" list. NASL should be extended for this.
Then trojan_horses.nasl should run after all other ACT_GATHER_INFO
scripts...
> Plus, some trojans can use any port.
I know.
Here is an experimental script anyway.