Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: Trend Micro OfficeScan service fingerprint
From: Tom Sellers <nmap () fadedcode net>
Date: Sun, 30 Dec 2007 07:38:49 -0600


        I will checkout a copy of the SVN file and test the probe
in my environment on Monday.

doug () hcsw org wrote:

Thanks a lot for creating a probe! As you probably saw from the
OfficeScan comment, I've noticed problems with this service too:

# This is here for NULL probe cheat since several probes unpredictably trigger it -Doug

I just checked in the following probe to SVN:

Probe TCP OfficeScan q|GET /?CAVIT HTTP/1.1\r\n\r\n|
rarity 9
ports 12345

OfficeScan 6.x and 7.x listen on port 12345 so the probe should detect them.
OfficeScan 8.x uses a random port on the client.  What are the benefits of
limiting the fingerprint to port 12345?

match http m|^HTTP/1.0 \d\d\d .*\r\nServer: OfficeScan Client| p/Trend Micro OfficeScan Antivirus http config/

The match line is more flexible than the one I submitted and should
work fine.

Does this work for you? I deleted the match line in the GetRequest
probe but left it in the NULL probe in case we get it on a fallback.

Thanks much,


Sent through the nmap-dev mailing list
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]