Re: Incorrect Telnet Detection

[Brandon Enright <bmenrigh () ucsd edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, 5 Apr 2008 17:14:43 -0700 or thereabouts Fyodor
<fyodor () insecure org> wrote:

> On Wed, Mar 19, 2008 at 06:51:18PM +0000, Brandon Enright wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Hey Lionel,
> >
> > We get this quite a bit too but I've never bothered to really
> > investigate.  A quick grep through my logs shows 25 machines
> > throwing Nessus false positives (not limited to telnet services) on
> > the last scan through campus.
> >
> > I'm working on service fingerprints all day today so I'll add this
> > to my todo list of things to check into.
>
> Great!  I'll hold off on applying Lionel's patch since you are working
> on this.  Let us know what comes of it.
>
> Cheers,
> -F

I investigated this and applied a patch as part of a large patch
commit.  The problem was that there wasn't a ^ anchor on the match
lines.  I checked through a bunch of source code and I think the reason
why it wasn't there is that there are a few Nessus perl modules that
don't use the anchor.  I checked protocol documents and determined that
^ could be added.  I've tested this some and so far, it doesn't break
the Nessus match but does eliminate all of my false positives.

Brandon


Here is the patch that was committed:

@@ -6099,27 +6142,35 @@
 # the NTP as 1.0.  So we give the highest rarity to these first two
 # probes so they will usually only be used for port 1241.  But the
 # third is left with a lower rarity to catch Nessus running on
- -# non-default ports.
+# non-default ports. 
+#
+# These probes have a high likelihood of triggering false positives because
+# any service that echos your command back can match.  The docs on the
+# the protocol make me think a ^ anchor can be added to the response so
+# this should cut down on the the false positives. (Brandon)
+#
+# See ntp_white_paper_11.txt for more information on the Nessus protocol
+#
 ##############################NEXT PROBE##############################
 Probe TCP NessusTPv12 q|< NTP/1.2 >\n|
 rarity 9
 ports 1241
 sslports 1241
- -match nessus m|< NTP/1.2 >\n| p/Nessus Daemon/ i/NTP v1.2/
+match nessus m|^< NTP/1.2 >\n| p/Nessus Daemon/ i/NTP v1.2/
 
 ##############################NEXT PROBE##############################
 Probe TCP NessusTPv11 q|< NTP/1.1 >\n|
 rarity 9
 ports 1241
 sslports 1241
- -match nessus m|< NTP/1.1 >\n| p/Nessus Daemon/ i/NTP v1.1/
+match nessus m|^< NTP/1.1 >\n| p/Nessus Daemon/ i/NTP v1.1/
 
 ##############################NEXT PROBE##############################
 Probe TCP NessusTPv10 q|< NTP/1.0 >\n|
- -rarity 6
+rarity 8
 ports 1241
 sslports 1241
- -match nessus m|< NTP/1.0 >\n| p/Nessus Daemon/ i/NTP v1.0/
+match nessus m|^< NTP/1.0 >\n| p/Nessus Daemon/ i/NTP v1.0/
 
 
 ##############################NEXT PROBE##############################
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)

iD8DBQFH+Bf6qaGPzAsl94IRAurGAKCHpi8GX/DowC+DINitOOe/cBrclwCgrhAA
vwX3wjFleWhb/IujdWvPLRs=
=PfeP
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org