Give TCP probes that result in a filtered state a lower rank. When a TCP gets a

positive response that results in being marked filtered, the reply was an ICMP error. Such probes are now ranked a 2 along with UDP, IP proto, and other probes that get ICMP replies that are likely to be rate limited. Previously they got the highest rank, 6, because they were TCP probes other than SYN to an open port. SYN to an open port retains its rank of 3.
2025-12-31 20:09:02 +00:00 · 2008-12-30 23:45:28 +00:00
parent 7261608125
commit 3414659676
1 changed files with 5 additions and 3 deletions
--- a/scan_engine.cc
+++ b/scan_engine.cc
@@ -2328,11 +2328,11 @@ void HostScanStats::getTiming(struct ultra_timing_vals *tmng) {
 /* Define a score for a ping probe, for the purposes of deciding whether one
   probe should be preferred to another. The order, from most preferred to least
   preferred, is
-      Raw TCP (not SYN to an open port)
+      Raw TCP (not filtered, not SYN to an open port)
      ICMP information queries (echo request, timestamp request, netmask req)
      ARP
      Raw TCP (SYN to an open port)
-      UDP, IP protocol, or other ICMP
+      UDP, IP protocol, or other ICMP (including filtered TCP)
      TCP connect
      Anything else
   Raw TCP SYN to an open port is given a low preference because of the risk of
@@ -2344,7 +2344,9 @@ static unsigned int pingprobe_score(const probespec *pspec, int state) {

  switch (pspec->type) {
    case PS_TCP:
-      if (pspec->pd.tcp.flags == TH_SYN && (state == PORT_OPEN || state == PORT_UNKNOWN))
+      if (state == PORT_FILTERED) /* Received an ICMP error. */
+        score = 2;
+      else if (pspec->pd.tcp.flags == TH_SYN && (state == PORT_OPEN || state == PORT_UNKNOWN))
        score = 3;
      else
        score = 6;