Coherence of Version Detection

[Marc Ruef <marc.ruef () computec ch>]

Hello,

We did a large-scale scan recently (houndreds of internal hosts). To 
moderate and report the results, we use a self-written parsing-script to 
import all xml data into a database (it is more an expert system). [1]

During the moderation process we identified that version detection of 
nmap is determining IIS web servers differently. The identifier strings 
are (nmap 5.21 used):

* Microsoft IIS httpd
* Microsoft IIS httpd 6.0
* Microsoft IIS httpd 7.5
* Microsoft IIS webserver 6.0
* Microsoft IIS webserver 7.5

It looks like the same version is reported with different names: Once as 
"httpd x.y" and once as "webserver x.y".

I was crawling through nmap-service-probes to identify the affected 
entries. Is there a reason why there is a different naming? Of not, 
wouldn't it be a good idea to normalize the naming convention as far as 
possible?

Otherwise, we would have to do this ourselves to provide the possibility 
of software inventory reports. In this case we would maintain 
nmap-service-probes ourselves or change the data during parsing.

Regards,

Marc

[1] The basic idea is summarized at http://www.scip.ch/?labs.20090814 
(focussing on Qualys Scan; German only).

--
Marc Ruef | marc.ruef () computec ch | http://www.computec.ch/mruef/
_________________________________________________________________
Meine letzte Publikation: "Der Cyberstalker" 
http://www.computec.ch/news.php?item.326
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/