Home page logo

nmap-dev logo Nmap Development mailing list archives

nmap-service-probes matching questions
From: Kris Katterjohn <katterjohn () gmail com>
Date: Tue, 01 Apr 2008 11:41:00 -0500

Hash: SHA1

Hey everyone,

I've always loved Nmap's Service Detection; it's definitely high on my
list of top features.

I would like to help out with Service Detection if I can, but before any
of that I have some questions that I can't find exact answers to in the

I've attached a small patch which combines some match lines into one
using alternation.


o Is it better to combine matches like I have done with the first two
sets when the difference is small?  Only one word is different between
the matches.

o In the third one, is this how it is done to capture the substrings and
to have them match correctly?  What are the $N values for these?  This
is what it seems like it would be (excluding $1 and $2 which I didn't

$3 is the outer () capture, which is either "posting ok" or "no posting"
depending on the match
$4 is the first inner () capture, which is "posting ok"
$5 is the second inner () capture, which is "no posting"

Is this correct?

Sorry if these are simple.  I use vi and [e]grep all the time, with awk
and sed fairly often, but I rarely use Perl (gasp!) or anything else
with nested captured substrings so I'm clueless here.

Thanks a lot,
Kris Katterjohn

Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

Index: nmap-service-probes
--- nmap-service-probes (revision 7027)
+++ nmap-service-probes (working copy)
@@ -201,8 +201,7 @@
 # banners.  These rules should always be well below the detailed rule
 # above.
 match eggdrop m|\(Eggdrop v([\d.]+) \(C\) 1997 Robey Pointer.*Eggheads|s p/Eggdrop IRC bot console/ v/$1/
-match eggdrop m|\(Eggdrop v([\d.]+)\+ipv6 \(C\) 1997 Robey Pointer.*Eggheads|s p/Eggdrop IRC bot console with ipv6/ 
-match eggdrop m|\(Eggdrop v([\d.]+)\+SSL \(C\) 1997 Robey Pointer.*Eggheads|s p/Eggdrop IRC bot console with SSL/ v/$1/
+match eggdrop m|\(Eggdrop v([\d.]+)\+(ipv6|SSL) \(C\) 1997 Robey Pointer.*Eggheads|s p/Eggdrop IRC bot console with 
$2/ v/$1/
 match eggdrop m|\(Eggdrop v([\d.]+)\+rc(\d+) \(C\) 1997 Robey Pointer.*Eggheads|s p/Eggdrop IRC bot console/ v/$1 rc 
 match eggdrop m=\(Eggdrop v([\d.]+)\+(STEALER\.net|Gentoo) \(C\) 1997 Robey Pointer.*Eggheads=s p/Eggdrop IRC bot 
console with Gentoo patches/ v/$1/ o/Linux/ i/Gentoo/
@@ -256,8 +255,7 @@
 match ftp m|^220 ([-.\w]+) FTP server \(GNU inetutils (\d[-.\w ]+)\) ready\.\r\n| p/GNU Inetutils FTPd/ v/$2/ h/$1/
 match ftp m|^220 .* \(glftpd (\d[-.0-9a-zA-Z]+)_(\w+)(\+TLS)?\) ready\.\r\n| p/glFTPd/ v/$1/ i/$2/ o/Unix/
 match ftp m|^220 .* \(glFTPd (\d[-.0-9a-zA-Z]+)_(\w+) Linux\+TLS\) ready\.?\r\n| p/glFTPd/ v/$1/ i/$2/ o/Linux/
-match ftp m|^220 .* \(glFTPd (\d[-.0-9a-zA-Z]+) Linux\+TLS\) ready\.\r\n| p/glFTPd/ v/$1/ o/Linux/
-match ftp m|^220 .* \(glFTPd (\d[-.0-9a-zA-Z]+) FreeBSD\+TLS\) ready\.\r\n| p/glFTPd/ v/$1/ o/FreeBSD/
+match ftp m/^220 .* \(glFTPd (\d[-.0-9a-zA-Z]+) (Linux|FreeBSD)\+TLS\) ready\.\r\n/ p/glFTPd/ v/$1/ o/$2/
 match ftp m|^220 ([-.\w]+) FTP server \(FirstClass v(\d[-.\w]+)\) ready\.\r\n| p/FirstClass FTP server/ h/$1/ v/$2/
 match ftp m|^220 ([-.\w]+) FTP server \(Compaq Tru64 UNIX Version (\d[-.\w]+)\) ready\.\r\n| p/Compaq Tru64 ftp 
server/ h/$1/ v/$2/ o/Tru64 UNIX/
 match ftp m|^220 AXIS ([-.\w]+) FTP Network Print Server V(\d[-.\w]+) [A-Z][a-z]| p/Axis network print server ftpd/ 
v/$2/ i/Model $1/ d/print server/
@@ -1068,8 +1066,7 @@
 match nntp m|^502 Connection refused\r\n| p/Microsoft NNTP Service/ i/refused/ o/Windows/
 # Windows NT 4.0 SP5-SP6 
 match nntp m|^20[01] Microsoft Exchange Internet News Service Version (\d\.\d\.[.\d]+) \((.*)\)\r\n| p/Microsoft 
Exchange Internet News Service/ v/$1/ i/$2/ o/Windows/
-match nntp m|^20. ([-.\w]+) InterNetNews NNRP server INN (\d[-.\w ]+) ready \(posting ok\)\.\r\n| p/InterNetNews 
(INN)/ h/$1/ v/$2/ i/posting ok/
-match nntp m|^20. ([-.\w]+) InterNetNews NNRP server INN (\d[-.\w ]+) ready \(no posting\)\.\r\n| p/InterNetNews 
(INN)/ h/$1/ v/$2/ i/no posting/
+match nntp m|^20. ([-.\w]+) InterNetNews NNRP server INN (\d[-.\w ]+) ready \(((posting ok)|(no posting))\)\.\r\n| 
p/InterNetNews (INN)/ h/$1/ v/$2/ i/$3/
 match nntp m|^200 ArGoSoft News Server for WinNT/2000/XP v ([\d.]+) ready\r\n| p/ArGoSoft nntpd/ v/$1/ o/Windows/
 match nntp m|^400 No space left on device writing SMstore file -- throttling\r\n| p/InterNetNews (INN)/ i/HDD full/
 match nntp m/^200 NNTP-Server Classic Hamster (Vr\.|Version) \d[-.\w ]+ \(Build (\d[-.\w ]+)\) \(post ok\) says: 
Hi!\r\n/ p/Classic Hamster NNTPd/ v/$2/ i/posting ok/ o/Windows/

Sent through the nmap-dev mailing list
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]