Nmap Development mailing list archives
Re: Incorrect Telnet Detection
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Sun, 6 Apr 2008 00:23:22 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, 5 Apr 2008 17:14:43 -0700 or thereabouts Fyodor <fyodor () insecure org> wrote:
On Wed, Mar 19, 2008 at 06:51:18PM +0000, Brandon Enright wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey Lionel, We get this quite a bit too but I've never bothered to really investigate. A quick grep through my logs shows 25 machines throwing Nessus false positives (not limited to telnet services) on the last scan through campus. I'm working on service fingerprints all day today so I'll add this to my todo list of things to check into.Great! I'll hold off on applying Lionel's patch since you are working on this. Let us know what comes of it. Cheers, -F
I investigated this and applied a patch as part of a large patch commit. The problem was that there wasn't a ^ anchor on the match lines. I checked through a bunch of source code and I think the reason why it wasn't there is that there are a few Nessus perl modules that don't use the anchor. I checked protocol documents and determined that ^ could be added. I've tested this some and so far, it doesn't break the Nessus match but does eliminate all of my false positives. Brandon Here is the patch that was committed: @@ -6099,27 +6142,35 @@ # the NTP as 1.0. So we give the highest rarity to these first two # probes so they will usually only be used for port 1241. But the # third is left with a lower rarity to catch Nessus running on - -# non-default ports. +# non-default ports. +# +# These probes have a high likelihood of triggering false positives because +# any service that echos your command back can match. The docs on the +# the protocol make me think a ^ anchor can be added to the response so +# this should cut down on the the false positives. (Brandon) +# +# See ntp_white_paper_11.txt for more information on the Nessus protocol +# ##############################NEXT PROBE############################## Probe TCP NessusTPv12 q|< NTP/1.2 >\n| rarity 9 ports 1241 sslports 1241 - -match nessus m|< NTP/1.2 >\n| p/Nessus Daemon/ i/NTP v1.2/ +match nessus m|^< NTP/1.2 >\n| p/Nessus Daemon/ i/NTP v1.2/ ##############################NEXT PROBE############################## Probe TCP NessusTPv11 q|< NTP/1.1 >\n| rarity 9 ports 1241 sslports 1241 - -match nessus m|< NTP/1.1 >\n| p/Nessus Daemon/ i/NTP v1.1/ +match nessus m|^< NTP/1.1 >\n| p/Nessus Daemon/ i/NTP v1.1/ ##############################NEXT PROBE############################## Probe TCP NessusTPv10 q|< NTP/1.0 >\n| - -rarity 6 +rarity 8 ports 1241 sslports 1241 - -match nessus m|< NTP/1.0 >\n| p/Nessus Daemon/ i/NTP v1.0/ +match nessus m|^< NTP/1.0 >\n| p/Nessus Daemon/ i/NTP v1.0/ ##############################NEXT PROBE############################## -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.7 (GNU/Linux) iD8DBQFH+Bf6qaGPzAsl94IRAurGAKCHpi8GX/DowC+DINitOOe/cBrclwCgrhAA vwX3wjFleWhb/IujdWvPLRs= =PfeP -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Re: Incorrect Telnet Detection Fyodor (Apr 05)
- Re: Incorrect Telnet Detection Brandon Enright (Apr 05)