Nmap Development mailing list archives
Re: Service Detection False Positive in Promise Array RAID match line
From: David Fifield <david () bamsoftware com>
Date: Thu, 13 May 2010 17:34:45 -0600
On Thu, May 13, 2010 at 06:17:02PM -0500, Tom Sellers wrote:
I am sending this email to the list to serve as an FYI as well as a reference for me later. I am about to remove the following matchline from the nmap-service-probes file: match raid-mgt m|^\x15\x03\x01\0\x02\x02\n$| p/Promise Array Manager RAID management/ The line was generating numerous false positive on TLS protected services. This is a result of matching the TLS crypto negation error response of 15 03 01 00 02 02 0a for error code "Unexpected Message". TLS protected services were returning this series of bytes due to nmap sending various probes to the port trying to identify the service which triggered the TLS code to issue the error message. Apparently the output was submitted as a matchline for the Promise Array Manager software, which is what we ask people to do. ;) The ultimate result, for me, was a database full of ports flagged as Array Management software that should have been one of several other SSL/TLS protected services. I expect to make the change in the next hour or so.
Looks good, but please leave the byte sequence in as a comment to keep it from being re-added in the future. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Service Detection False Positive in Promise Array RAID match line Tom Sellers (May 13)
- Re: Service Detection False Positive in Promise Array RAID match line David Fifield (May 13)