Nmap Development mailing list archives
Re: architecture: device vs service
From: Fyodor <fyodor () insecure org>
Date: Tue, 8 Dec 2009 13:27:25 -0800
On Sun, Dec 06, 2009 at 03:01:21AM +0100, Willem wrote:
What is the best practice on identifying devices that consist of otherwise autonomous components? For example, the Sitecom WL-404 ip cam. The latest nmap reports OS (linux 2.6.X) and port 80 service (thttpd 2.25b) correctly but obviously there's more for nmap to discover. An approach taken from nmap-service-probes (eg. the NSLU2 match), is to abuse the service detection and overrule the thttpd match with a Sitecom WL-404 match [1] but this looks like a Bad Idea. IMHO, it makes more sense to rename device-type to device-group and introduce device-type for specific brand/model/version info about the appliance, while leaving the service information intact. //Willem [1] +match http m|^HTTP/1\.[01] \d\d\d .*\r\nServer: thttpd/2.25b 29dec2003\r\n.+var MODEL = "WL-404"|s p/Sitecom ip cam/ v/WL-404/ d/webcam/ match http m|^HTTP/1\.[01] \d\d\d .*\r\nServer: thttpd/(\d[-.+\w]+) ([\w?]+)\r\n| p/thttpd/ v/$1 $2/
Hi Willem. I agree that both pieces of data (that it is a Sitecom WL-404 IP cam and that it is running thttpd 2.25b) are important for users. One thing we can do now (without changing our whole classification system) is put one piece of information in p// and v//, and the other in extrainfo (i//). Given that this is service detection for the web port in this case, my initial thought is that it would be better to put thttpd 2.25b as the p// and v// and then note Sitecom IP cam WL-404 in the i//. Cheers, Fyodor _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- architecture: device vs service Willem (Dec 05)
- Re: architecture: device vs service Fyodor (Dec 08)