Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: NIST CPE
From: David Fifield <david () bamsoftware com>
Date: Thu, 31 Mar 2011 23:04:08 -0700

On Wed, Mar 30, 2011 at 02:36:50PM +0200, Henri Doreau wrote:
I am currently working to improve host and service detection within
OpenVAS. CPEs are a key point in this task and one of my aims is to
add CPE support for Nmap (upon which OpenVAS relies heavily).

2011/3/27 David Fifield <david () bamsoftware com>:
On Thu, Mar 24, 2011 at 04:42:26AM +0530, ambarisha b wrote:
2. The script doesn't try to use the Fingerprint line from each
fingerprint.I can see that we don't strictly follow a format,
nevertheless , there is a specific format we "try" to stick to while
writing the Fingerprint line.May be we can try to match the
Fingerprint line with the human-readable tag in the dictionary(I don't
mean a "cold" complete line match here).This ,ofcourse, would
introduce some amount of doubt about the accuracy.

This is a good idea and it would be great to see an implementation of
it. The matching doesn't have to be perfect, only good enough to save a
human lots of work. It's fine if a few names still need to be handled
manually. Instead of matching dictionary descriptions, I would just
build another map or common patterns that we use (like "SP2") to CPE
components. This makes it a little more complicated because one
Fingerprint line can correspond to multiple CPE names. For example,
"Microsoft Windows XP SP2 - SP3" would become
       cpe:/o:microsoft:windows_xp::sp2
       cpe:/o:microsoft:windows_xp::sp3
This is even worse with names like "Linux 2.6.9 - 2.6.14".

This is the way I am following. It's too early for me to release any
result or conclusion but I wrote a proof of concept library that
performs CPE lookups in the official dictionary. It relies on several
parameters to do fuzzy matching between CPE titles and a free form
description. The most important one is the "Levenstein distance" but I
have also added other empirically determined tests (like weighting a
match on the OS/application name more than the version numbers for
instance).

Henri, I'm sure you know more about how CPE is actually used than most
of us. In your opinion, would a partial result like
cpe:/o:microsoft:windows_xp be useful to people (better than nothing),
or are they going to want more precise information like
cpe:/o:microsoft:windows_xp::sp3.

It seems like offering even a little bit of information is useful, but
if someone has the CPE hooked up to a vulnerability database or
something, they may not want to see spurious alerts about Windows XP
when the OS is actually Windows XP SP3 and already has the vulnerability
fixed.

I'm trying to get information on whether it would be better to at first
implement very easy, but incomplete, CPE (like the cpeify-os.py script);
or if the output needs to be mostly complete to begin with.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]