Nmap Development mailing list archives
Small Problem w/RegEx for Service Detection...
From: "Jay Freeman \(saurik\)" <saurik () saurik com>
Date: Sun, 3 Sep 2000 03:13:42 -0500
Fyoder> The question is whether it is powerful enough. I suspect that Fyoder> the vast majority of protocols could be detected via a sufficiently Fyoder> clever probe string and regex match. Can anyone think of any Fyoder> protocols that could not be detected by method but could with a Fyoder> more powerful (think "C") syntax? And RPC services don't count Fyoder> because we can get them with the existing RPC grinder. While working on the regular expression match nmap+V-2.2 uses to detect Ajp13, I ran into a small problem. After doing a little more research, it still seems to be a problem: unless I am missing something, regular expressions cant be used to detect \0 :-(. If you take a look at my Ajp13 checker, you will notice its rather weak . I send a bunch of binary data, and then check for AB. The third character sent back by the server is \0, and regcomp() takes a NULL-terminated C-style string, which is causing problems. It doesnt take a parameter for the length, and doesnt do much escaping on its own (just enough to handle its own structures, such as { and [). I tried passing it \\\0 and it bombed out with an error of Trailing backslash (was hoping it would escape the \0 :-), the man page for regex(7) _did_ say: a `\' followed by any other character (matching that character taken as an ordinary character, as if the `\' had not been present)). When dealing with binary protocols \0 tends to be rather important . It could be skipped over with ., but in many cases the accuracy of the expression is then lost. In the Ajp13 case, after the \0 the next few characters represent the length of the remainder of the data. Perfect validation would involve making sure the length of the reply matches that number, next best would be waiting for the end of the reply for another AB\0, but to minimize the resources required for the scan checking for getting first nothing and then AB\0 after sending the correct request is probably enough. Just checking for the AB bothers me (mainly because of ABCDE :-) ) but Id be rather confident that other protocols would show more of a pressing urge for wanting to correctly scan for \0. Anyone know of a more powerful, rather portable regex parser that supports \0 or maybe some alternative that could be used instead? Even better: a way to get regcomp() to escape the \0? Sincerely, Jay Freeman (saurik) saurik () saurik com <mailto:saurik () saurik com> --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Current thread:
- Small Problem w/RegEx for Service Detection... Jay Freeman (saurik) (Sep 03)
- <Possible follow-ups>
- Re: Small Problem w/RegEx for Service Detection... Paul Tod Rieger (Sep 03)
- RE: Small Problem w/RegEx for Service Detection... Jay Freeman (saurik) (Sep 03)
- Re: Small Problem w/RegEx for Service Detection... Paul Tod Rieger (Sep 06)