Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos

Nmap Development: Re: nmap-service-probes matching questions

Re: nmap-service-probes matching questions

From: <doug_at_hcsw.org>
Date: Wed, 2 Apr 2008 15:48:34 -0800

Hi Kris,

On Tue, Apr 01, 2008 at 11:41:00AM -0500 or thereabouts, Kris Katterjohn wrote:
> I've always loved Nmap's Service Detection; it's definitely high on my
> list of top features.

Right on, me too.

> o Is it better to combine matches like I have done with the first two
> sets when the difference is small? Only one word is different between
> the matches.

Yes, using alternation (abc|def) is fine and is a good idea if the services
are very similar. Thanks for noticing this in the eggdrop match lines.
However, there is a small problem with this line and the last one in your
patch. If you're using the | as the regexp delimiter, you can't use
alternation because it will interfere with the reading of the regexp.
In such a case, I usually use / or = as the delimiter. For example:

match login m=^\x01Permission denied ?: Error (35|0|1)\r?\n?$= p/Tru64 Unix logind/ o/Tru64 UNIX/

If m|...(35|0|1)...| was used, this line would be broken.

> o In the third one, is this how it is done to capture the substrings and
> to have them match correctly? What are the $N values for these? This
> is what it seems like it would be (excluding $1 and $2 which I didn't
> touch):
>
> $3 is the outer () capture, which is either "posting ok" or "no posting"
> depending on the match
> $4 is the first inner () capture, which is "posting ok"
> $5 is the second inner () capture, which is "no posting"
>
> Is this correct?

Yes, this is how nested capturing work. If you only want to use alternation
without capture, use ?:, for example: (?:GET|POST). This is slightly more
efficient and also you don't need holes in your numbering ie p/$1/ v/$2/ h/$4/.
Also, keep in mind that (abc|def)? WILL capture a group even if the empty string
matches this regexp component. In other words, this is the same as (abc|def|).
Don't even ask about (abc|def)*. :)

In your example here:

match nntp m|^20. ([-.\w]+) InterNetNews NNRP server INN (\d[-.\w ]+) ready \(((posting ok)|(no posting))\)\.\r\n| p/InterNetNews (INN)/ h/$1/ v/$2/ i/$3/

I see no reason for nested capture. Why not simply (posting ok|no posting) ?
(And make sure you use a different regexp delim than | as described above).

> Sorry if these are simple. I use vi and [e]grep all the time, with awk
> and sed fairly often, but I rarely use Perl (gasp!) or anything else
> with nested captured substrings so I'm clueless here.

nvi+Perl 4life. Read up on perl's -n switch and you will never need awk/sed again.

Thanks for helping,

Doug

PS that should be e?grep :)

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Received on Apr 02 2008
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]