Nmap Development mailing list archives

Re: [NSE] Vulnerability Scan based on osvdb


From: Marc Ruef <marc.ruef () computec ch>
Date: Thu, 20 May 2010 08:44:39 +0200

Hello David,

I am currently working on a neat little nmap nse script. It uses the
version detection module of nmap to lookup potential flaws within the
offline csv export of osvdb. A first version of this script is running
already :) [1]

FYI: The screenshot has been updated and does provide the osvdb id of the finding:

http://www.computec.ch/mruef/software/screenshot_nmap_nse_vulscan_with_osvdb.png

I think I am going to work with dynamic report templates as I did within the ATK project before[1].

I'm not aware of any mapping between Nmap-style names and OSVDB names.
Nmap's names are meant to be human-readable, so they sometimes have a
description of the server type along with the name.

At the moment I am using the following code to find the best product name match:

--- cut ---

local products_words = explode(" ", product)

for x=#products_words, 1, -1 do
    -- Generate a best match string for the product name
    for y=1, x, 1 do
        if products_wordsearch == "" then
            products_wordsearch = products_words[y]
        else
products_wordsearch = products_wordsearch .. " " .. products_words[y]
        end
    end
end

--- cut ---

It works not bad ;) Thanks to Lee for the suggestions.

There are still probably inconsistencies in Nmap's database with regard
to naming. If OSVDB's is more consistent, then I would recommend mapping
Nmap names to OSVDB names.

I did also contact the moderators of the osvdb mailing list and they informed me about a potential limitation of osvdb (at the moment; thanks to David for the reply):

> -----Original Message-----
> From: David Shettler [mailto:dave () opensecurityfoundation org]
> Sent: Thursday, May 20, 2010 2:11 AM
> To: Marc Ruef
> Cc: moderators () osvdb org
> Subject: Re: [OSVDB Mods] [OSVDB] CSV Export Strange Problems
>
> (...)
object_correlations don't exist for every vulnerability -- mainly because volunteers haven't gotten around to matching up 
every vuln to a specific vendor/product.  I'd rely on titles more than object_correlations and object_vendors, etc.

This means a lookup with high confidence isn't possible anyway. Either way

* I have a high confidence but not all matches or

* I just grep the title strings, get "all" the matches but with a very limited amount of confidence.

:(

There was a proposal to use Common Platform Enumeration (CPE) in Nmap
version and OS output, but it didn't promise to bring much benefit and
no one implemented it. I admit something like that would make it easier
to do machine matching against a database.

CPE would be great. But I can understand that would require a *huge* effort for both projects. In the meanwhile an independend lookup table seems to be easier to create :(

Regards,

Marc

[1] http://www.computec.ch/projekte/atk/

--
Marc Ruef | marc.ruef () computec ch | http://www.computec.ch/mruef/
_________________________________________________________________
Meine letzte Publikation: "Potentielle, existente, ausnutzbare oder ausgenutzte Schwachstellen" http://www.computec.ch/news.php?item.328
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


Current thread: