Microsoft SQL Server fingerprint question

[Tom Sellers <nmap () fadedcode net>]

NMap does not fingerprint Microsoft SQL running on TCP 1433 in my
test environment.  It also does not generate a fingerprint for
submission.

I have a reliable probe, based on a packet capture and some google-fu,
that will elicit a response from MS SQL 2000 and 2005. (It might also
work with SQL 7 but I do not have a host to test.)  The response from
the server starts with a consistent set of bytes so a signature can
be generated from this.  Towards the end of the response is a hex
encoded server software version string.

What would be the best way to handle this:

1.  Have a single match line that detects that MS SQL is running
     on the port.

2.  Have 3 match lines to detect the major versions of MS SQL,
     for example MS SQL 2000, MS SQL 2005, etc. Perhaps add a
     softmatch line before these to provide generic MS SQL detection
     for future proofing.

3.  Use a match line with pattern matching to extract the version
     number in hex, convert it to decimal and present it.  Can this
     be done?  (I saw a mention of helper functions in the docs but
     could not find anything else about them.  The comment toward
     the bottom of the match section:
     http://insecure.org/nmap/vscan/vscan-fileformat.html#vscan-db-match)

4.  Have multiple match lines and/or lua scripts that detect the
     version and other details.

5.  Some other option that I haven't considered.

Thanks much!

Tom

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org