Re: Incorrect Telnet Detection

[Brandon Enright <bmenrigh () ucsd edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey Lionel,

We get this quite a bit too but I've never bothered to really
investigate.  A quick grep through my logs shows 25 machines throwing
Nessus false positives (not limited to telnet services) on the last scan
through campus.

I'm working on service fingerprints all day today so I'll add this to
my todo list of things to check into.

Brandon


On Wed, 19 Mar 2008 16:04:45 +0100 or thereabouts Lionel Cons
<lionel.cons () cern ch> wrote:

> I have recently scanned a clock that was running a telnet server which
> was mistakenly identified as a Nessus server:
>
> # nmap -sSV -p 23 1.2.3.4
> [...]
> PORT   STATE SERVICE VERSION
> 23/tcp open  nessus  Nessus Daemon (NTP v1.0)
>
> But:
>
> $ telnet 1.2.3.4
> [...]
> Inova Solutions Digital Clock
> Welcome to OnTime Clock Version 1.2.N
>
> iclock login: 
>
> Here is a suggested addition to nmap-service-probes to properly detect
> this service:
>
> match telnet m|^\xff\xfb\x01\xff\xfb\x03\s+Inova Solutions Digital
> Clock\s+Welcome to OnTime Clock Version ([\w\.]+)\s+iclock login:|s
> p/Inova Solutions Digital Clock/ v/$1/ d/clock/
>
> Cheers,
>
> Lionel
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)

iD8DBQFH4WCsqaGPzAsl94IRAmDxAJ9VdoqGTMb7zOBsfyGnwrg56/yM0QCgopmf
mfqNxmYvdIvVTAxbDQXnWNw=
=/ibA
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org