Home page logo

nmap-dev logo Nmap Development mailing list archives

From: ambarisha b <b.ambarisha () gmail com>
Date: Thu, 24 Mar 2011 04:42:26 +0530

have been studying the NIST CPE specification and David's reports from
http://seclists.org/nmap-dev/2010/q3/278 - OS fingerprints
http://seclists.org/nmap-dev/2010/q3/303 - version service probes

When I first read the specification,it seemed like the standard isn't
yet ready for adoption by the nmap database.But rethinking it , I
guess these are the pains you take to adopt a common standard.

I have studied the mockup script that David's report included.A few
things came to my mind:

1. The script doesn't use the cpe dictionary completely ( I guess the
vendor and vendor-family maps must have been obtained by referring the
dictionary and manually putting it in).Shouldn't we be cross-checking
a component name with the dictionary,because I think that the
specification relies heavily on the dictionary and in many situations
doesn't define clear-cut rules to express a cpe name.
2. The script doesn't try to use the Fingerprint line from each
fingerprint.I can see that we don't strictly follow a format,
nevertheless , there is a specific format we "try" to stick to while
writing the Fingerprint line.May be we can try to match the
Fingerprint line with the human-readable tag in the dictionary(I don't
mean a "cold" complete line match here).This ,ofcourse, would
introduce some amount of doubt about the accuracy.
3. The major concern is with the embedded device type and there is
quite a big number of them.Mostly we're storing the details regarding
the device in the Fingerprint line.So any progress on processing   the
Fingerprint line will yield good results here also.
4. We also need to have need to maintain consistency with the CPE
dictionary while adding new fingerprints.This,I think, can easily be
automated.Still,what if the cpe doesn't have a name registered yet?We
add the fingerprint to database without the cpe name.And we will also
have to revise the database periodically to see if any of the names
for the fingerprints without cpe name have been  registered.

With service probes there are many other concerns.The disparity
between the dictionary and nmap's database is going to be a problem.We
need to get all the new names into the cpe dictionary.There are
component names where the protocol specifies no clear rules but that
name should be obtained by contacting the company or the
organisation.These issues should also be resolved.What do you guys say

Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]