Re: Possible new device categories for service detection

[Fyodor <fyodor () insecure org>]

On Mon, Feb 09, 2009 at 01:14:49AM +0100, A. Ramos wrote:
> Hello All,
>
>
> > What would really help, IMHO, is a document describing how we classify
> > each device type.  That document could note that we use a broad
> > definition of webcam.
>
> Again, what about: http://marc.info/?l=nmap-dev&m=122847958805930&w=2

Hi Alejandro.  Interesting find.  I took a look at CPE
(http://cpe.mitre.org/), and I'm not sure if it can help us.  One
thing they do have is a huge, relatively comprehensive dictionary of
operating systems, devices, and applications:

http://nvd.nist.gov/cpe.cfm

They don't have everything we detect, however.  For example, they
don't have nessusd.  Nor do they have Nmap.  But they have open source
server applications such as Apache, and they have a way to submit new
items.  The dictionary is filled with entries like:

    <cpe-item name="cpe:/h:linksys:wrt54gl:4.30.9">
        <title xml:lang="en-US">Linksys WRT54GL 4.30.9</title>
        <meta:item-metadata modification-date="2008-01-11T10:18:57.663-05:00" status="DRAFT" nvd-id="73199" />
    </cpe-item>

and

    <cpe-item name="cpe:/a:apache:http_server:2.0.42">
        <title xml:lang="en-US">Apache Software Foundation Apache HTTP Server 2.0.42</title>
        <meta:item-metadata modification-date="2008-04-01T10:08:41.343-04:00" status="DRAFT" nvd-id="14080" />
    </cpe-item>

and

    <cpe-item deprecated="true" deprecation_date="2008-04-15T12:35:00.000-04:00" 
name="cpe:/o:microsoft:windows-nt:vista::x64-ultimate">
        <title xml:lang="en-US">Microsoft Windows Vista x64 ultimate</title>
        <meta:item-metadata modification-date="2008-10-09T15:04:26.707-04:00" status="FINAL" nvd-id="74550" />
    </cpe-item>

One thing it does not seem to have (that I've found) is a device
categorization scheme.  So it doesn't say, for example, that the
WRT54GL is a WAP/Broadband router.

The CPE name field contains the following fields:

platform part, vendor, product name, version, update level, edition, and language

We also get a human readable form (title).

Nmap's OS detection system has the equivalent of title and vendor.  We
also have OS name, OS family, and device type.

Did you have an idea on what we should do with this?  I'm not sure
that it would be worthwhile to try and canonicalize on the CPE system.
It would certainly be hard, and we would still need to add the device
type entry.  Plus, using it for the version detection DB would be an
even greater technical challenge then OS detection (depending on how
we used it).  We could add nvd-id numbers or CPE names to entries in
addition to what we have now, but that would be a huge amount of work
to augment the current DBs, and also more work going forward.  So we'd
need to see significant benefits.  Do you have examples of other
software which uses this?

I can definitely see the DB being useful during OS detection and
version detection when we're deciding on a canonical description for
an OS or application.  Sometimes it is hard to decide on things like a
vendor name (where they've changed) or other aspects.  Looking at this
dictionary might help in finding a good resolution.  Also, I sometimes
am not sure if an OS version even exists when I receive certain
submissions.  This dictionary contains a reasonably comprehensive list
of versions for each OS, and even of different firmware and model
numbers for various embedded devices such as WAPs and broadband
routers, printers, etc.

So I'm open to ideas for how people think we should use this and any
benefits it can bring to Nmap OS and version detection.  It is clearly
a valuable resource.

Cheers,
-F







_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org