Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: softmatch for http
From: Fyodor <fyodor () nmap org>
Date: Tue, 17 Sep 2013 17:17:37 -0700

On Fri, Sep 13, 2013 at 7:09 AM, Till Maas <opensource () till name> wrote:


I noticed that the nmap-service-probes file contains only a generic
softmatch http entry that is commented. The comment mentions problems
with other http services. However I fail to see why it is an improvement
to make nmap output "http?" instead of "http" for ports that are
verified to be at least HTTP based. Can this please be re-evaluated?

Hi Till.  We do have some softmatches for HTTP (e.g. if we at least see
that it is Apache), but as you note we commented out the one which just
looked for "HTTP/1.[01] \d\d\d" in response.  The problem is that when we
softmatch a protocol, Nmap version detection limits further searching to
probes which have at least one signature for that protocol.  That is a
great optimization in most cases, but it doesn't work well for http because
so many other protocols use http as underlying transport.  For example,
UPnP and some https servers will answer a GET request with HTTP/1.*, but we
don't want Nmap to then limit its search just to "http".

Sent through the dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]