Re: More Service Detection Notes (Skype)

[Brandon Enright <bmenrigh () ucsd edu>]

On Wed, 2006-07-26 at 00:25 -0700, doug () hcsw org wrote:
...snip...
> What do you think about an addition to the nmap-service-probes
> format that requires multiple match lines having to be triggered
> in order to report a result? Specifically, do you (or anyone else) see
> anything wrong with the following:
>
> ...
> Probe TCP GenericLines q|\r\n\r\n|
> ...
> match &skype2 m|(.*[^\0-\x04\s!-~]){10}|s p/Skype v2/
> ...
> Probe TCP GetRequest q|GET / HTTP/1.0\r\n\r\n|
> ...
> match &skype2 m|^HTTP/1\.0 404 Not Found\r\n\r\n$| p/Skype v2/
> ...
>
>
> where the '&'s preceding the service names mean that all such match lines
> need to match in order to trigger a match?
>
> Doug

Syntactically this is a very simple and elegant way to describe more
than one pattern must match.  The only thing I dislike about it is that
the constituent matching patterns could potentially be separated from
each other by many lines.

Everything that comes to my mind right now is overly complicated. Unless
there's a better idea, &servicename sounds to me like the way to go.

Brandon



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev