portscan: update manpage about --grscan caveats

author Jan Engelhardt <jengelh@medozas.de>

Sat, 10 Jan 2009 04:23:43 +0000 (05:23 +0100)

committer Jan Engelhardt <jengelh@medozas.de>

Sat, 10 Jan 2009 04:23:43 +0000 (05:23 +0100)
author Jan Engelhardt <jengelh@medozas.de>
Sat, 10 Jan 2009 04:23:43 +0000 (05:23 +0100)
committer Jan Engelhardt <jengelh@medozas.de>
Sat, 10 Jan 2009 04:23:43 +0000 (05:23 +0100)
diff --git a/extensions/libxt_portscan.man b/extensions/libxt_portscan.man

index 60a4c1a555fd8f98886f022ef4a7b20930d894b6..aaa162f6a0ffe8f237cb35bc100cf3dfc5826f76 100644 (file)
--- a/extensions/libxt_portscan.man
+++ b/extensions/libxt_portscan.man
@@ -20,7 +20,11 @@ connection was torn down after completion of the 3-way handshake.
  \fB--grscan\fR
  Match if data in the connection only flew in the direction of the remote side,
  e.g. if the connection was terminated after a locally running daemon sent its
-identification. (e.g. openssh)
+identification. (E.g. openssh, smtp, ftpd.) This may falsely trigger on
+warranted single-direction data flows, usually bulk data transfers such as
+FTP DATA connections or IRC DCC. Grab Scan Detection should only be used on
+ports where a protocol runs that is guaranteed to do a bidirectional exchange
+of bytes.
  .PP
  NOTE: Some clients (Windows XP for example) may do what looks like a SYN scan,
  so be advised to carefully use xt_portscan in conjunction with blocking rules,
author	Jan Engelhardt <jengelh@medozas.de>
	Sat, 10 Jan 2009 04:23:43 +0000 (05:23 +0100)
committer	Jan Engelhardt <jengelh@medozas.de>
	Sat, 10 Jan 2009 04:23:43 +0000 (05:23 +0100)