Nmap Development mailing list archives
Re: Trend Micro OfficeScan service fingerprint
From: Tom Sellers <nmap () fadedcode net>
Date: Sun, 30 Dec 2007 07:38:49 -0600
Doug, I will checkout a copy of the SVN file and test the probe in my environment on Monday. doug () hcsw org wrote:
Thanks a lot for creating a probe! As you probably saw from the OfficeScan comment, I've noticed problems with this service too: # This is here for NULL probe cheat since several probes unpredictably trigger it -Doug I just checked in the following probe to SVN: Probe TCP OfficeScan q|GET /?CAVIT HTTP/1.1\r\n\r\n| rarity 9 ports 12345
OfficeScan 6.x and 7.x listen on port 12345 so the probe should detect them. OfficeScan 8.x uses a random port on the client. What are the benefits of limiting the fingerprint to port 12345?
match http m|^HTTP/1.0 \d\d\d .*\r\nServer: OfficeScan Client| p/Trend Micro OfficeScan Antivirus http config/
The match line is more flexible than the one I submitted and should work fine.
Does this work for you? I deleted the match line in the GetRequest probe but left it in the NULL probe in case we get it on a fallback.
Thanks much, Tom _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Trend Micro OfficeScan service fingerprint Tom Sellers (Dec 29)
- <Possible follow-ups>
- Trend Micro OfficeScan service fingerprint Tom Sellers (Dec 29)
- Re: Trend Micro OfficeScan service fingerprint doug (Dec 30)
- Re: Trend Micro OfficeScan service fingerprint Tom Sellers (Dec 30)
- Re: Trend Micro OfficeScan service fingerprint doug (Dec 30)
- Re: Trend Micro OfficeScan service fingerprint doug (Dec 30)