Re: NMAP Patch to change OS/390 to z/OS in banner scan

[David Fifield <david () bamsoftware com>]

On Sun, Sep 23, 2012 at 09:00:04PM -0700, Main Framed wrote:
> This is my first NMAP patch so I apologize if I'm not following protocol.
> I'm following the instructions from https://svn.nmap.org/nmap/HACKING. It's
> a very minor change to nmap-service-probes to replace "OS/390" with "z/OS".
>  As you can read here (http://en.wikipedia.org/wiki/OS/390) OS/390 ended
> support in 2004 and replaced the OS with z/OS.

Hello, thank you for making this patch. You did it the right way, don't
worry.

We usually don't like to just change the OS on fingerprints like this.
One reason is that, if a fingerprint matches OS/390, it will continue to
match any OS/390 machines that are still running. Another reason is
that we don't know that the fingerprint for the z/OS version of telnet,
say, has the same fingerprint. If we change the OS on the old
signatures, we lose the potential ability to distinguish the two
different versions of the OS.

The best way to make changes like this is to do an actual scan of a z/OS
machine, and then submit a fingerprint or correction to
http://nmap.org/submit. If it turns out that the fingerprint is the
same, then we would write "OS/390 or z/OS" instead of choosing one of
them.

One thing you can do to help out is add CPE entries for our OS/390 and
z/OS fingerprints. What this means is looking at
http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.2.xml
and finding the best match for the OS, and then adding a cpe: template
to the match line, like this existing one:
        cpe:|o:ibm:z/os|
If you do this, make sure you have the absolute latest version of the
fingerprints file from SVN, or else it is more difficult to merge the
patch.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/