Re: nse unusual-port ident bug

[Fyodor <fyodor () insecure org>]

On Sat, Nov 26, 2011 at 07:07:11PM +0100, Patrik Karlsson wrote:
> In this case, the entry in nmap-services says "auth" while the
> service/version scan recognizes the port as "ident".  While, to the
> best of my knowledge, this is essentially the same service there's a
> discrepancy between the entries in the file nmap-services and
> nmap-service-probes.

Regardless of the solution chosen for the unusual-port script, I think
discrepancies like this should be fixed.  We should pick ident or auth
and stick with it.

Now there may be some cases where version detection may legitimately
detect a more specific version of the general service listed in
nmap-services.  And there are issues with how we handle tunneled
services (e.g. https vs ssl/http) which we may have to eventually
resolve in a different way.  But in general, I think we should strive
to remove discrepancies like the auth/ident issue.

For now, I'll change the 'auth' entry to 'ident' in
nmap-service-probes.  But if folks are able to find other conflicts
and submit patches, that would be great IMHO.

Also, the script will probably need its own whitelist by virtue of the
fact that nmap-services only gives one service per port number, yet
many port numbers have numerous legitimate services listening on them.
And there are services which can legitimately be found on any port
number (e.g. Vuze).

Cheers,
Fyodor
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/