amap on


Identify applications even if they are running on a different port than normal.

It also identifies non-ascii based applications. This is achieved by sending trigger packets, and looking up the responses in a list of response strings.

Without filled databases containing triggers and responses, the tool is worthless, so I ask you to help us fill the database. How to do this? Well, whenever a client application connects to a server, some kind of handshake is exchanged (at least, usually. Syslogd for instance won't say nothing, and snmpd without the right community string neither). Anyway, amap takes the first packet sent back and compares it to a list of signature responses. Really simple, actually. And in reality, it turns out really to be that simple, at least, for most protocols.

So now, with amap, you can identify that SSL server running on port 3442, as well as that Oracle listener on port 23.

For unknown protocols, you can use amapcrap, which sends random crap to a udp, tcp or ssl'ed port, to illicit a response, which you can then put into the appdefs.trig and appdefs.resp files.