Nmap Development mailing list archives
Re: Possible new device categories for service detection
From: Fyodor <fyodor () insecure org>
Date: Tue, 17 Feb 2009 10:33:48 -0800
On Mon, Feb 09, 2009 at 01:14:49AM +0100, A. Ramos wrote:
Hello All,What would really help, IMHO, is a document describing how we classify each device type. That document could note that we use a broad definition of webcam.Again, what about: http://marc.info/?l=nmap-dev&m=122847958805930&w=2
Hi Alejandro. Interesting find. I took a look at CPE (http://cpe.mitre.org/), and I'm not sure if it can help us. One thing they do have is a huge, relatively comprehensive dictionary of operating systems, devices, and applications: http://nvd.nist.gov/cpe.cfm They don't have everything we detect, however. For example, they don't have nessusd. Nor do they have Nmap. But they have open source server applications such as Apache, and they have a way to submit new items. The dictionary is filled with entries like: <cpe-item name="cpe:/h:linksys:wrt54gl:4.30.9"> <title xml:lang="en-US">Linksys WRT54GL 4.30.9</title> <meta:item-metadata modification-date="2008-01-11T10:18:57.663-05:00" status="DRAFT" nvd-id="73199" /> </cpe-item> and <cpe-item name="cpe:/a:apache:http_server:2.0.42"> <title xml:lang="en-US">Apache Software Foundation Apache HTTP Server 2.0.42</title> <meta:item-metadata modification-date="2008-04-01T10:08:41.343-04:00" status="DRAFT" nvd-id="14080" /> </cpe-item> and <cpe-item deprecated="true" deprecation_date="2008-04-15T12:35:00.000-04:00" name="cpe:/o:microsoft:windows-nt:vista::x64-ultimate"> <title xml:lang="en-US">Microsoft Windows Vista x64 ultimate</title> <meta:item-metadata modification-date="2008-10-09T15:04:26.707-04:00" status="FINAL" nvd-id="74550" /> </cpe-item> One thing it does not seem to have (that I've found) is a device categorization scheme. So it doesn't say, for example, that the WRT54GL is a WAP/Broadband router. The CPE name field contains the following fields: platform part, vendor, product name, version, update level, edition, and language We also get a human readable form (title). Nmap's OS detection system has the equivalent of title and vendor. We also have OS name, OS family, and device type. Did you have an idea on what we should do with this? I'm not sure that it would be worthwhile to try and canonicalize on the CPE system. It would certainly be hard, and we would still need to add the device type entry. Plus, using it for the version detection DB would be an even greater technical challenge then OS detection (depending on how we used it). We could add nvd-id numbers or CPE names to entries in addition to what we have now, but that would be a huge amount of work to augment the current DBs, and also more work going forward. So we'd need to see significant benefits. Do you have examples of other software which uses this? I can definitely see the DB being useful during OS detection and version detection when we're deciding on a canonical description for an OS or application. Sometimes it is hard to decide on things like a vendor name (where they've changed) or other aspects. Looking at this dictionary might help in finding a good resolution. Also, I sometimes am not sure if an OS version even exists when I receive certain submissions. This dictionary contains a reasonably comprehensive list of versions for each OS, and even of different firmware and model numbers for various embedded devices such as WAPs and broadband routers, printers, etc. So I'm open to ideas for how people think we should use this and any benefits it can bring to Nmap OS and version detection. It is clearly a valuable resource. Cheers, -F _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Re: Possible new device categories for service detection, (continued)
- Re: Possible new device categories for service detection David Fifield (Feb 08)
- Re: Possible new device categories for service detection Fyodor (Feb 08)
- Re: Possible new device categories for service detection doug (Feb 08)
- Re: Possible new device categories for service detection David Fifield (Feb 20)
- Re: Possible new device categories for service detection David Fifield (Feb 20)
- Re: Possible new device categories for service detection doug (Feb 20)
- Re: Possible new device categories for service detection Fyodor (Feb 20)
- Re: Possible new device categories for service detection David Fifield (Feb 25)
- Re: Possible new device categories for service detection Brandon Enright (Feb 08)
- Re: Possible new device categories for service detection Fyodor (Feb 17)