Prefer UDP probes with 1 or fewer payloads as ping probes.

2025-12-30 19:39:07 +00:00 · 2021-08-06 02:47:56 +00:00
parent 9c97e008f7
commit 01c1e00b83
1 changed files with 18 additions and 12 deletions
--- a/scan_engine.cc
+++ b/scan_engine.cc
@@ -1779,43 +1779,49 @@ static unsigned int pingprobe_score(const probespec *pspec, int state) {
  switch (pspec->type) {
  case PS_TCP:
    if (state == PORT_FILTERED) /* Received an ICMP error. */
-      score = 2;
+      score = 20;
    else if (pspec->pd.tcp.flags == TH_SYN && (state == PORT_OPEN || state == PORT_UNKNOWN))
-      score = 3;
+      score = 30;
    else if (pspec->pd.tcp.dport == 25 ||
      pspec->pd.tcp.dport == 113 ||
      pspec->pd.tcp.dport == 135 ||
      pspec->pd.tcp.dport == 139 ||
      pspec->pd.tcp.dport == 445)
      /* Frequently spoofed port numbers */
-      score = 5;
+      score = 50;
    else
-      score = 6;
+      score = 60;
    break;
  case PS_SCTP:
    if (state == PORT_FILTERED) /* Received an ICMP error. */
-      score = 2;
+      score = 20;
    else if (state == PORT_OPEN || state == PORT_UNKNOWN)
-      score = 3;
+      score = 30;
    else
-      score = 6;
+      score = 60;
    break;
  case PS_ICMP:
    if (pspec->pd.icmp.type == ICMP_ECHO || pspec->pd.icmp.type == ICMP_MASK || pspec->pd.icmp.type == ICMP_TSTAMP)
-      score = 5;
+      score = 50;
    else
-      score = 2;
+      score = 20;
    break;
  case PS_ARP:
  case PS_ND:
-    score = 4;
+    score = 40;
    break;
  case PS_UDP:
+    // Penalize ports with many payloads, since we can't be sure which one responded.
+    score = 20 - udp_payload_count(pspec->pd.udp.dport);
+    // But one payload is ok
+    if (score == 19)
+      score = 20;
+    break;
  case PS_PROTO:
-    score = 2;
+    score = 20;
    break;
  case PS_CONNECTTCP:
-    score = 1;
+    score = 10;
    break;
  case PS_NONE:
  default: