On 01/29/09 08:48, Damon Getsman wrote:
For a little more added information, here is how OSSEC is determining
that these ports are hidden:
The way we detect hidden ports is the following:
1- Try to bind to every port in the system (tcp and udp).
2- If bind fails (port is being used), we run netstat to see if it
showing in there.
3- If it is not showing on netstat, we attempt to bind the port again.
4- If we are able to bind again, we try netstat the last time.
5- If netstat does not show the port, we consider it hidden.
So, false positives can happen if you have a very busy system, opening and
closing ports very fast (or using some form of system virtualization).
Just curious. What does one do to make a port not show up in netstat?
Kent
_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users
