Nmap Development mailing list archives
More intelligent OS fingerprint merging
From: David Fifield <david () bamsoftware com>
Date: Fri, 29 Jun 2007 15:09:48 -0600
Nmap can perform OS detection several times against a host, resulting in serveral fingerprints. When Nmap displays these fingerprints, it merges them into one and tries to remove lines that are duplicated between the fingerprints, reducing the overall length of the fingerprint string. If some lines from a fingerprint were missing or out of order, the duplicate-line elimination code would get confused and leave in duplicate lines. The duplicate lines make the fingerprint unnecessarily long and make it harder to read. r5046 in /nmap-exp/soc07/nmap fixes this. It puts all the lines in a list and sorts it before removing duplicates, ensuring that they are all removed and that they are displayed strictly in the correct order. To compare lines, the old code used the same function that is used when matching observed fingerprints to the reference database. This function, in addition to treating the values of one fingerprint's tests as expressions, also ignores tests that are present in one fingerprint but not in the other. I thought this behavior was wrong for the merging code, so I changed the merging code to use plain string comparisons. Because this code is related to OS fingerprint submission, it's fairly important. Therefore I wrote in a check to ensure that no tests are accidentally lost by the new merging code. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- More intelligent OS fingerprint merging David Fifield (Jun 29)
- Re: More intelligent OS fingerprint merging Fyodor (Jun 29)