Re: nmap OS detection providing different results

[David Fifield <david () bamsoftware com>]

On Sat, Apr 02, 2011 at 09:33:45AM -0400, Ryan Giobbi wrote:
> Hello,
>
> When running against non-Windows hosts (AIX), I've noticed that nmap's
> OS detection (nmap -O) doesn't provide the same results all of the
> time. About 1/5 scans nmap fails to find the remote hosts when run
> repeatedly.
>
> Is this expected? Would pasting the OS signature that returns when the
> current ones fail into nmap-os-db and submitting to nmap.org be a
> reasonable workaround?

Yes, please submit the fingerprint you get, it's the only way for the
database to improve. It's not a workaround, it's the way the process is
supposed to work.

I can explain why this happens sometimes. Some of the fingerprint fields
are ranges. When a new fingerprint is added, we start the ranges pretty
narrow, so as to avoid overlapping with other fingerprints. A common
case is the SEQ.SP test. We might start a fingerprint like this:

SEQ(SP=B7-C1%...)

If the range is too narrow, the remote host might be within it most of
the time, but sometimes produce a value like B5. When you submit the
non-matching fingerprint, it causes us to expand the range, like

SEQ(SP=B3-C1%...)

You can see, though, that we don't know in advance if the range has to
grow upwards or downwards, or at all. We rely on user submissions to
refine the database.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/