Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: NIST CPE
From: Henri Doreau <henri.doreau () greenbone net>
Date: Wed, 30 Mar 2011 14:36:50 +0200

Hello,

I am currently working to improve host and service detection within
OpenVAS. CPEs are a key point in this task and one of my aims is to
add CPE support for Nmap (upon which OpenVAS relies heavily).

2011/3/27 David Fifield <david () bamsoftware com>:
On Thu, Mar 24, 2011 at 04:42:26AM +0530, ambarisha b wrote:
2. The script doesn't try to use the Fingerprint line from each
fingerprint.I can see that we don't strictly follow a format,
nevertheless , there is a specific format we "try" to stick to while
writing the Fingerprint line.May be we can try to match the
Fingerprint line with the human-readable tag in the dictionary(I don't
mean a "cold" complete line match here).This ,ofcourse, would
introduce some amount of doubt about the accuracy.

This is a good idea and it would be great to see an implementation of
it. The matching doesn't have to be perfect, only good enough to save a
human lots of work. It's fine if a few names still need to be handled
manually. Instead of matching dictionary descriptions, I would just
build another map or common patterns that we use (like "SP2") to CPE
components. This makes it a little more complicated because one
Fingerprint line can correspond to multiple CPE names. For example,
"Microsoft Windows XP SP2 - SP3" would become
       cpe:/o:microsoft:windows_xp::sp2
       cpe:/o:microsoft:windows_xp::sp3
This is even worse with names like "Linux 2.6.9 - 2.6.14".

This is the way I am following. It's too early for me to release any
result or conclusion but I wrote a proof of concept library that
performs CPE lookups in the official dictionary. It relies on several
parameters to do fuzzy matching between CPE titles and a free form
description. The most important one is the "Levenstein distance" but I
have also added other empirically determined tests (like weighting a
match on the OS/application name more than the version numbers for
instance).

This gives good and constantly improving results, but not enough to
consider updating the database from it yet. I think that an efficient
tool will need to combine several methods to produce reliable results
with a minimal human reviewing effort.

Regards.

-- 
Henri Doreau |  Greenbone Networks GmbH  |  http://www.greenbone.net
Neuer Graben 17, 49074 Osnabrueck, Germany | AG Osnabrueck, HR B 202460
Executive Directors: Lukas Grunwald, Dr. Jan-Oliver Wagner
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]