Nmap Development mailing list archives
Re: question about Network Associates ePolicy Orchestrator detection
From: "DePriest, Jason R." <jrdepriest () gmail com>
Date: Wed, 30 May 2007 15:28:55 -0500
On 5/30/07, Brandon Enright wrote:
On Wed, 30 May 2007 13:43:49 -0500 "DePriest, Jason R." <jrdepriest () gmail com> wrote: <snip> > My questions are: > * can the existing fingerprint be updated to catch some of the other > information? From your data below, it looks like this is easy to do. > * at what point does this become a job for NSE? As long as the initial data comes back in one step and can be matched by a regular language then never. As soon as interaction is required or the data requires some computation to be done NSE will be needed. > > Here is an example of what you get now: > Interesting ports on computer.domain.com (ww.xx.yy.zz): > PORT STATE SERVICE VERSION > 8081/tcp open http Network Associates ePolicy Orchestrator > (Computername: COMPUTER) > > Without the stylesheet, the data returned from the ePO agent is just a > long ugly line of XML. > > It starts like this: > <ComputerName>COMPUTER</ComputerName><version>3.5.5.580</version><AgentGUID>{26E623DD-4ED7-4F93-87CD-C654A9AE7EB6}</AgentGUID><ePOServerName>SERVER</ePOServerName> This is a pretty short snippit, and only one example, but assuming <version /> always trails <ComputerName /> the patch attached should do the job. > > So pulling out the version of the ePO agent and the server name should > be trivial for someone other than me who knows how to write > fingerprints / signatures. Anyone familiar with regular expressions (perl syntax/PCRE) can start right away. > > Anything else would probably need NSE to dig a bit deeper. If there really is more interesting information available that we want to get, send the full output and I'm sure someone will take a look. > > -Jason > Please give the attached patch a try and let me know if it works. It currently relies on the new fingerprint to be before the old one which probably isn't a great idea in the long run. If all versions of ePo match the new fingerprint than the old one can be removed. Someone who knows more about this than me should chime in with their thoughts. Brandon -- Brandon Enright Network Security Analyst UCSD ACS/Network Operations bmenrigh () ucsd edu
Yes, it works. PORT STATE SERVICE VERSION 8081/tcp open http Network Associates ePolicy Orchestrator 3.5.5.580 (Computername: COMPUTER) I'll need to find an easy way to sanitize the full output before I can send it. I will see what documentation on the format I can dig up in the mean time. I am attaching a screenshot of what the XML looks like after it runs through the stylesheet. The stuff circled in green shows that this system is running version 8.0.0 of VirusScan with HotFix 14 applied. The thing I really want to find out (if possible, and I'll do the digging) is virus definition file version. -Jason
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- question about Network Associates ePolicy Orchestrator detection DePriest, Jason R. (May 30)
- Re: question about Network Associates ePolicy Orchestrator detection Brandon Enright (May 30)
- Re: question about Network Associates ePolicy Orchestrator detection DePriest, Jason R. (May 31)
- Re: question about Network Associates ePolicy Orchestrator detection Brandon Enright (May 30)