Re: architecture: device vs service

[Fyodor <fyodor () insecure org>]

On Sun, Dec 06, 2009 at 03:01:21AM +0100, Willem wrote:
> What is the best practice on identifying devices that consist of
> otherwise autonomous components? For example, the Sitecom WL-404 ip
> cam. The latest nmap reports OS (linux 2.6.X) and port 80 service
> (thttpd 2.25b) correctly but obviously there's more for nmap to
> discover.
>
> An approach taken from nmap-service-probes (eg. the NSLU2 match), is
> to abuse the service detection and overrule the thttpd match with a
> Sitecom WL-404 match [1] but this looks like a Bad Idea. IMHO, it
> makes more sense to rename device-type to device-group and introduce
> device-type for specific brand/model/version info about the appliance,
> while leaving the service information intact.
>
> //Willem
>
> [1]
> +match http m|^HTTP/1\.[01] \d\d\d .*\r\nServer: thttpd/2.25b
> 29dec2003\r\n.+var MODEL = "WL-404"|s p/Sitecom ip cam/ v/WL-404/
> d/webcam/
> match http m|^HTTP/1\.[01] \d\d\d .*\r\nServer: thttpd/(\d[-.+\w]+)
> ([\w?]+)\r\n| p/thttpd/ v/$1 $2/

Hi Willem.  I agree that both pieces of data (that it is a Sitecom
WL-404 IP cam and that it is running thttpd 2.25b) are important for
users.  One thing we can do now (without changing our whole
classification system) is put one piece of information in p// and v//,
and the other in extrainfo (i//).  Given that this is service
detection for the web port in this case, my initial thought is that it
would be better to put thttpd 2.25b as the p// and v// and then note
Sitecom IP cam WL-404 in the i//.

Cheers,
Fyodor
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/