Re: More Service Detection Notes (Skype)

[doug () hcsw org]

Hi Brandon,

On Wed, Jul 26, 2006 at 05:56:46AM +0000 or thereabouts, Brandon Enright wrote:
> match skype m|(.*[^\0-\x04\s!-~]){10}|s p/Skype v2 random data/

> Being able to require two
> different probes to match would get us within acceptable margins.
> Together with the above match *and* "HTTP/1\.0 404 Not Found\r\n\r\n"
> we'd be able to match Skype very reliably.

I agree completely.

What do you think about an addition to the nmap-service-probes
format that requires multiple match lines having to be triggered
in order to report a result? Specifically, do you (or anyone else) see
anything wrong with the following:

...
Probe TCP GenericLines q|\r\n\r\n|
...
match &skype2 m|(.*[^\0-\x04\s!-~]){10}|s p/Skype v2/
...
Probe TCP GetRequest q|GET / HTTP/1.0\r\n\r\n|
...
match &skype2 m|^HTTP/1\.0 404 Not Found\r\n\r\n$| p/Skype v2/
...


where the '&'s preceding the service names mean that all such match lines
need to match in order to trigger a match?

Doug



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev