Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: Incorrect Telnet Detection
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Sun, 6 Apr 2008 00:23:22 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, 5 Apr 2008 17:14:43 -0700 or thereabouts Fyodor
<fyodor () insecure org> wrote:

On Wed, Mar 19, 2008 at 06:51:18PM +0000, Brandon Enright wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey Lionel,

We get this quite a bit too but I've never bothered to really
investigate.  A quick grep through my logs shows 25 machines
throwing Nessus false positives (not limited to telnet services) on
the last scan through campus.

I'm working on service fingerprints all day today so I'll add this
to my todo list of things to check into.

Great!  I'll hold off on applying Lionel's patch since you are working
on this.  Let us know what comes of it.

Cheers,
-F

I investigated this and applied a patch as part of a large patch
commit.  The problem was that there wasn't a ^ anchor on the match
lines.  I checked through a bunch of source code and I think the reason
why it wasn't there is that there are a few Nessus perl modules that
don't use the anchor.  I checked protocol documents and determined that
^ could be added.  I've tested this some and so far, it doesn't break
the Nessus match but does eliminate all of my false positives.

Brandon


Here is the patch that was committed:

@@ -6099,27 +6142,35 @@
 # the NTP as 1.0.  So we give the highest rarity to these first two
 # probes so they will usually only be used for port 1241.  But the
 # third is left with a lower rarity to catch Nessus running on
- -# non-default ports.
+# non-default ports. 
+#
+# These probes have a high likelihood of triggering false positives because
+# any service that echos your command back can match.  The docs on the
+# the protocol make me think a ^ anchor can be added to the response so
+# this should cut down on the the false positives. (Brandon)
+#
+# See ntp_white_paper_11.txt for more information on the Nessus protocol
+#
 ##############################NEXT PROBE##############################
 Probe TCP NessusTPv12 q|< NTP/1.2 >\n|
 rarity 9
 ports 1241
 sslports 1241
- -match nessus m|< NTP/1.2 >\n| p/Nessus Daemon/ i/NTP v1.2/
+match nessus m|^< NTP/1.2 >\n| p/Nessus Daemon/ i/NTP v1.2/
 
 ##############################NEXT PROBE##############################
 Probe TCP NessusTPv11 q|< NTP/1.1 >\n|
 rarity 9
 ports 1241
 sslports 1241
- -match nessus m|< NTP/1.1 >\n| p/Nessus Daemon/ i/NTP v1.1/
+match nessus m|^< NTP/1.1 >\n| p/Nessus Daemon/ i/NTP v1.1/
 
 ##############################NEXT PROBE##############################
 Probe TCP NessusTPv10 q|< NTP/1.0 >\n|
- -rarity 6
+rarity 8
 ports 1241
 sslports 1241
- -match nessus m|< NTP/1.0 >\n| p/Nessus Daemon/ i/NTP v1.0/
+match nessus m|^< NTP/1.0 >\n| p/Nessus Daemon/ i/NTP v1.0/
 
 
 ##############################NEXT PROBE##############################
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)

iD8DBQFH+Bf6qaGPzAsl94IRAurGAKCHpi8GX/DowC+DINitOOe/cBrclwCgrhAA
vwX3wjFleWhb/IujdWvPLRs=
=PfeP
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]