Re: Possible new device categories for service detection

[Fyodor <fyodor () insecure org>]

On Sun, Feb 08, 2009 at 07:51:45PM +0000, doug () hcsw org wrote:
> What does everybody think about the following new categories?
>
> * security-camera
>
> Right now all cameras are classified as "webcam" but honestly
> I don't really consider things like 24-stream closed-circuit
> digital security recorders (DVRs) and the like to be webcams.

Hi Doug.  While we could split 'webcam' into more categories, I'm not
sure it is worth the extra categorization work.  The Wikipedai
"webcam" entry notes many types of webcams, from the security systems
to video conferencing systems, traditional cheap consumer webcams,
etc.  It is a lot easier to label them all webcams than to try and
figure out which is which for each submission we integrate.

What would really help, IMHO, is a document describing how we classify
each device type.  That document could note that we use a broad
definition of webcam.

> * IDS
>
> Right now these are either security-misc or firewall. I was
> just wondering if a device advertises itself as an IDS if
> we should be more specific. I guess this would open the
> door to all sorts of other things though... IPS? Maybe
> security-misc is OK for these?

If its a firewall+ids, then I think firewall is the right choice.  But
if we have a decent number of standalone IDS's, I think it is
reasonable and useful to split them off from security-misc.  I'd say
that there should be at least half a dozen devices in a category (such
as IDS) in nmap-os-db and nmap-service-probes combined to warrant
splitting them off.  Interestingly, nmap-os-db doesn't even have a
security-misc category and I don't see much in the way of IDS's from a
quick grep.

nmap-os-db has about a dozen devices which only exist once or twice in
the file:

      2  web server
      2  TV
      2  terminal server
      2  telecom-misc
      2  oscilloscope
      1  server appliance
      1  security system
      1  projector
      1  mail server
      1  broadband modem
      1  authentication server
      1  ATM

I think we should try to avoid having such tiny categories.  I'm about
to get rid of most of these as follows:

o Put 'TV' into 'media device'
o Put 'projector' into 'media device'
o Put 'oscilloscope' into 'specialized'
o Put 'server appliance' into 'general purpose' (its a Linux box which
  can do a lot, from print/file serving to firewall)
o Change 'security system' to 'security-misc' (now we do have one of
  those in nmap-os-db)!
o Put 'mail server' into 'specialized'
o Change 'broadband modem' to 'broadband router' (some of the other 99
  in that category may technically be "modems" too).
o Change 'authentication server' to 'security-misc'
o Put 'ATM' in 'specialized'

That gets rid of 9 out of 12 right there.

Cheers,
-F

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org