From 6680f5648da2e3218f379827e2f03085894207bb Mon Sep 17 00:00:00 2001
From: dmiller <dmiller@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Wed, 28 Mar 2018 20:17:44 +0000
Subject: [PATCH] Avoid using commonly-spoofed-closed ports as ping/timing
 ports

---
 scan_engine.cc | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/scan_engine.cc b/scan_engine.cc
index 75ddf5250..052ba2ac6 100644
--- a/scan_engine.cc
+++ b/scan_engine.cc
@@ -1796,6 +1796,13 @@ static unsigned int pingprobe_score(const probespec *pspec, int state) {
       score = 2;
     else if (pspec->pd.tcp.flags == TH_SYN && (state == PORT_OPEN || state == PORT_UNKNOWN))
       score = 3;
+    else if (pspec->pd.tcp.dport == 25 ||
+      pspec->pd.tcp.dport == 113 ||
+      pspec->pd.tcp.dport == 135 ||
+      pspec->pd.tcp.dport == 139 ||
+      pspec->pd.tcp.dport == 445)
+      /* Frequently spoofed port numbers */
+      score = 5;
     else
       score = 6;
     break;