
Gold-Nuggeting: find outstanding network devices on large NMAP scans using ML - _soruso
https://github.com/delvelabs/batea
======
blaser-waffle
I read the whitepaper that was linked in the github __but I 'm still not
totally sure what makes a network device "interesting". I'm still sort of
curious, but I don't feel like digging through the code.

Like what does this give me over a few nmap -O | grep ssh or similar
oneliners?

 __[http://delvesecurity.com/wp-
content/uploads/2019/10/Automati...](http://delvesecurity.com/wp-
content/uploads/2019/10/Automating-Intuition-Batea-WP.pdf)

~~~
_soruso
First, it starts with the hypothesis that you don't know exactly what you are
looking for in advance, so an "interesting" asset would pop out as an unusual
combination of these grep lookups (ssh, http, mysql, ftp, rdp, smb, etc...) or
other features (hostnames, os type). It means you would have to look for all
possible combinations of these oneliners?

Second, on an enterprise network, you could easily have 5k or 50k devices to
grep, which would make it unfeasible to combine simple greps.

The reason we use machine learning is because it is targetted for large amount
of data, i.e. enterprise networks.

