Nmap Development mailing list archives
Coherence of Version Detection
From: Marc Ruef <marc.ruef () computec ch>
Date: Fri, 30 Apr 2010 09:43:42 +0200
Hello,We did a large-scale scan recently (houndreds of internal hosts). To moderate and report the results, we use a self-written parsing-script to import all xml data into a database (it is more an expert system). [1]
During the moderation process we identified that version detection of nmap is determining IIS web servers differently. The identifier strings are (nmap 5.21 used):
* Microsoft IIS httpd * Microsoft IIS httpd 6.0 * Microsoft IIS httpd 7.5 * Microsoft IIS webserver 6.0 * Microsoft IIS webserver 7.5It looks like the same version is reported with different names: Once as "httpd x.y" and once as "webserver x.y".
I was crawling through nmap-service-probes to identify the affected entries. Is there a reason why there is a different naming? Of not, wouldn't it be a good idea to normalize the naming convention as far as possible?
Otherwise, we would have to do this ourselves to provide the possibility of software inventory reports. In this case we would maintain nmap-service-probes ourselves or change the data during parsing.
Regards, Marc[1] The basic idea is summarized at http://www.scip.ch/?labs.20090814 (focussing on Qualys Scan; German only).
-- Marc Ruef | marc.ruef () computec ch | http://www.computec.ch/mruef/ _________________________________________________________________Meine letzte Publikation: "Der Cyberstalker" http://www.computec.ch/news.php?item.326
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Coherence of Version Detection Marc Ruef (May 01)
- Re: Coherence of Version Detection Michael Pattrick (May 01)
- Re: Coherence of Version Detection David Fifield (May 03)