Re: OS detection

[Fyodor <fyodor () insecure org>]

On Thu, Dec 19, 2002 at 09:39:39PM +0100, R Anderson wrote:
> Has anybody tried putting Ofir Arkin's xprobe OS-detection into nmap? 
> Would there be any technical or political problems? Wouldn't it be worth 
> the effort?

I have quietly added a number of new tests in the last year, although
most of them involve new ways of interpreting the probe responses Nmap
already receives.  I would like to add new tests, but want to do so
all at once when I have time to put out a request for comments and
have some discussions about the pros and cons of each test.  I have a
lot of ideas, but I also hope other users and developers will be able
to suggest novel tests.  I certainly wouldn't restrict the new tests to
just those from Xprobe, but wouldn't exclude them either.

This is on my list projects I hope to do in '03.

> - If possible and applicable, merge the databases to some extent.

Why?  The latest Nmap DB has 699 fingerprints.  The latest Xprobe
(2.01rc1) contains 18.  Xprobe is certainly an interesting proof of
concept, and I am always glad to see other work in this area.  But I
wonder how many people here actually use Xprobe on a regular basis?
If so, I would love to hear about the value it presents to you over
Nmap.

> - The database matching should be compatible with older entries
> (without xprobe tests) - As time goes by, more complete entries will
> fill the database

Indeed.  Fortunately, this and other "upgrade-path" behavior already
exists in Nmap.  I just haven't had time to decide on new tests to
add.  Besides -- the current ones seem to be working rather well and
having too many tests can cause its own problems.  Instead of adding a
bunch of nifty new wiz-bang tests, I have been working to improve and
expand the results DB.

Cheers,
Fyodor

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).