Re: Service Detection False Positive in Promise Array RAID match line

[David Fifield <david () bamsoftware com>]

On Thu, May 13, 2010 at 06:17:02PM -0500, Tom Sellers wrote:
> I am sending this email to the list to serve as an FYI as well as a reference
> for me later.   I am about to remove the following matchline from the
> nmap-service-probes file:
>
>
> match raid-mgt m|^\x15\x03\x01\0\x02\x02\n$| p/Promise Array Manager RAID management/
>
>
> The line was generating numerous false positive on TLS protected services.
> This is a result of matching the TLS crypto negation error response of
> 15 03 01 00 02 02 0a for error code "Unexpected Message".
>
> TLS protected services were returning this series of bytes due to nmap sending
> various probes to the port trying to identify the service which triggered the
> TLS code to issue the error message.  Apparently the output was submitted as
> a matchline for the Promise Array Manager software, which is what we ask
> people to do. ;)
>
> The ultimate result, for me, was a database full of ports flagged as Array
> Management software that should have been one of several other SSL/TLS protected
> services.
>
> I expect to make the change in the next hour or so.

Looks good, but please leave the byte sequence in as a comment to keep
it from being re-added in the future.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/