Re: salt in version probes

[Toni Ruottu <toni.ruottu () iki fi>]

> I tried these probes with the example scan you gave. All the server
> answered to one of the probes except stun.fwd.org and
> stun01.sipphone.com. Do you get the same?

Those seem to be unreachable. You can try with regular stun by commanding
stun stun01.sipphone.com
On Ubuntu I can install it with...
apt-get install stun

> These probes are probably fine, but I don't want to add them without any
> matchlines. It's kind of a minimum barrier to entry to try a new probe
> against a known server and add a match for it. (And ideally, try it
> against two different servers, and get distinguishable responses.) I
> notice that some of the stun-br responses contain the string
> "Vovida\.org\x200\.96\", which looks like a nice server name and version
> number for http://www.voip-info.org/wiki/view/Vovida.org+STUN+server. So
> if you can test that, we'll add the probe.

I think it is impossible to do a regexp that would match the fields
accurately because they have length prefixes, and the regexp would
need to take into account that the fields might be in different
orders, and skip fields. On the other hand we may just have the regexp
look for string "Vovida.org", but in theory this string might exist in
some field with wrong type. I suppose we are okay with that?
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/