Re: Regarding "Windows XP identd" in nmap-service-probes (r2839)

[Fyodor <fyodor () insecure org>]

On Fri, Jan 30, 2009 at 08:03:50PM -0600, Kris Katterjohn wrote:
> Hmm.. many services have an official EOL of CRLF (which is why Ncat's -C comes
> in handy), so reading that keeping \r\n to specify Windows makes me a little
> uncomfortable.  I just glanced over RFC 1413 and it in fact says that the EOL
> is CRLF (I searched for both "CR" and "LF" and didn't see any mention of an
> exception).

That is a good point, and I agree that it might match non-Windows
services too.  But the way version detection (and OS detection) is
supposed to work is that we start with a rather strict match (both in
the signature itself and in the specific naming).  Then we broaden the
signature when we get new submissions for the same service/OS which
don't quite match it.  That part works well.  But we're also supposed
to broaden the name/description based on correction reports.  The
problem is that we don't get many corrections :(.  And I haven't
figured out how to fix that (social) problem.  Nmap already prints a
line asking people to report any errors.  But if Nmap reports Windows
identd, and the target is actually Linux, most people just ignore it
rather than submitting a report at http://nmap.org/submit/ :(.

If we figure out how to increase the number of correction reports,
we'll also solve the Windows identd issue :).

Cheers,
-F

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org