Re: [nmap-svn] r12911 - nmap

[Fyodor <fyodor () insecure org>]

On Tue, Apr 07, 2009 at 02:51:36PM -0700, commit-mailer () insecure org wrote:
> Author: bmenrigh
> Date: Tue Apr  7 14:51:36 2009
> New Revision: 12911

Thanks Bradon!  I have a few questions/commonts about some of these
changes.

> -match http m|^HTTP/1\.1 \d\d\d .*\r\n\r\n.*var l1=\"([^"]+)\"\n.*document\.write\(\"D-Link DI-\"\+l1\)|s p/D-Link 
> DI-$1 router http config/ d/router/
> +match http m|^HTTP/1\.1 \d\d\d .*var l1=\"([^"]+)\"\n.*document\.write\(\"D-Link DI-\"\+l1\)|s p/D-Link DI-$1 router 
> http config/ d/router/

Here the point of the "\r\n\r\n" was to make sure the variable
declaration happened in the HTTP body rather than the headers.  But in
this case the match is unique enough that there should be no problem.
We're not going to see that stuff in the header anyway.

> -match gnutella m|^HTTP/1\.1 \d\d\d .*\r\n.*Server: BearShare ([\d.]+)\r\n|s p/BearShare Gnutella P2P client/ v/$1/ 
> o/Windows/
> -match gnutella m|^HTTP/1\.1 \d\d\d .*\r\n.*Server: BearShare ([\d.]+) \(([^)]+)\)\r\n|s p/BearShare Gnutella P2P 
> client/ v/$1/ i/$2/ o/Windows/
> +match gnutella m|^HTTP/1\.1 \d\d\d .*Server: BearShare ([\d.]+)\r\n|s p/BearShare Gnutella P2P client/ v/$1/ 
> o/Windows/
> +match gnutella m|^HTTP/1\.1 \d\d\d .*Server: BearShare ([\d.]+) \(([^)]+)\)\r\n|s p/BearShare Gnutella P2P client/ 
> v/$1/ i/$2/ o/Windows/

These seem reasonable.  They would match something like "Server:
BearShare 2\r\n" even if it appeared in the middle of a line in the
HTTP body rather than headers, but that was true of the match lines
before your chanage as well.

> -match http m|^HTTP/1\.[01] \d\d\d .*\r\nDate: .*\r\n\r\n.*<META NAME=\"GENERATOR\" CONTENT=\"WebLogic Server\">\n|s 
> p/WebLogic httpd/
> +match http m|^HTTP/1\.[01] \d\d\d .*\r\nDate: .*<META NAME=\"GENERATOR\" CONTENT=\"WebLogic Server\">\n|s p/WebLogic 
> httpd/

Here again we lose the distinguishing between the header and body, but
I think that is easily worth it to avoid the PCRE MATCHLIMIT problem.

> -match http m|^HTTP/1\.0 \d\d\d .*\r\n.*: Quick 'n Easy Web Server\r\n| p/Quick 'n Easy Web Server httpd/ o/Windows/
> +match http m|^HTTP/1\.0 \d\d\d .*: Quick 'n Easy Web Server\r\n|s p/Quick 'n Easy Web Server httpd/ o/Windows/

I don't understand the reasoning between ones like this which didn't
have the s-modifier in the first place.  Previously, it enforced that
the Quick 'n Easy line occurred on the 2nd line of the HTTP response.
But with the change, it could even occur in the HTTP body.  Do you
really get the PCRE MATCHLIMIT error in this sort of case where the .*
cannot match \r\n in the first place?  I guess I don't understand how
this particular signature change is an improvement, though I'm not any
sort of PCRE expert.  I've not checked how many other cases there are
like this where the \r\n elimination changes are done on a signature
without /s.

Cheers,
-F

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org