Re: Quake 3 query script submission

[David Fifield <david () bamsoftware com>]

On Mon, Jan 25, 2010 at 09:02:21AM -0600, Mak Kolybabi wrote:
> On 2010-01-25 06:25, Brandon Enright wrote:
> > First, you changed the generic Quake 3 match to a softmatch. Is the
> > idea here that we can get fingerprints for more specific matches?
>
> Yes. The fact that it tells you the OS and CPU as part of the version
> is kind of nice, too.
>
> > If you could do something like m|^\xff+\\gamename\\Nexuiz| the match
> > would be much, much faster. What sort of content are you matching
> > against here? If the best that can be added is .* then there is no
> > point.
>
> The response should be marker (\xff\xff\xff\xff), then type
> (getstatusResponse), then newline, then a game-specific number of
> key-value pairs (\key1\value1 ... \key2\value2).
>
> Anchors are possible, and something like the following should work:
>
> m|^\xff\xff\xff\xffgetstatusResponse\n.*\\gamename\\Nexuiz.*|
>
> I'll add in the anchors and retest.

When you send in your next results, please also include the raw
fingerprints that Nmap prints out (the SF: lines). We have scripts for
dealing with those automatically, and also then we can use our judgement
to avoid making the initial match lines too broad.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/