Nmap Development mailing list archives
Re: [nmap-svn] r12911 - nmap
From: Fyodor <fyodor () insecure org>
Date: Thu, 9 Apr 2009 01:23:34 -0700
On Tue, Apr 07, 2009 at 02:51:36PM -0700, commit-mailer () insecure org wrote:
Author: bmenrigh Date: Tue Apr 7 14:51:36 2009 New Revision: 12911
Thanks Bradon! I have a few questions/commonts about some of these changes.
-match http m|^HTTP/1\.1 \d\d\d .*\r\n\r\n.*var l1=\"([^"]+)\"\n.*document\.write\(\"D-Link DI-\"\+l1\)|s p/D-Link DI-$1 router http config/ d/router/ +match http m|^HTTP/1\.1 \d\d\d .*var l1=\"([^"]+)\"\n.*document\.write\(\"D-Link DI-\"\+l1\)|s p/D-Link DI-$1 router http config/ d/router/
Here the point of the "\r\n\r\n" was to make sure the variable declaration happened in the HTTP body rather than the headers. But in this case the match is unique enough that there should be no problem. We're not going to see that stuff in the header anyway.
-match gnutella m|^HTTP/1\.1 \d\d\d .*\r\n.*Server: BearShare ([\d.]+)\r\n|s p/BearShare Gnutella P2P client/ v/$1/ o/Windows/ -match gnutella m|^HTTP/1\.1 \d\d\d .*\r\n.*Server: BearShare ([\d.]+) \(([^)]+)\)\r\n|s p/BearShare Gnutella P2P client/ v/$1/ i/$2/ o/Windows/ +match gnutella m|^HTTP/1\.1 \d\d\d .*Server: BearShare ([\d.]+)\r\n|s p/BearShare Gnutella P2P client/ v/$1/ o/Windows/ +match gnutella m|^HTTP/1\.1 \d\d\d .*Server: BearShare ([\d.]+) \(([^)]+)\)\r\n|s p/BearShare Gnutella P2P client/ v/$1/ i/$2/ o/Windows/
These seem reasonable. They would match something like "Server: BearShare 2\r\n" even if it appeared in the middle of a line in the HTTP body rather than headers, but that was true of the match lines before your chanage as well.
-match http m|^HTTP/1\.[01] \d\d\d .*\r\nDate: .*\r\n\r\n.*<META NAME=\"GENERATOR\" CONTENT=\"WebLogic Server\">\n|s p/WebLogic httpd/ +match http m|^HTTP/1\.[01] \d\d\d .*\r\nDate: .*<META NAME=\"GENERATOR\" CONTENT=\"WebLogic Server\">\n|s p/WebLogic httpd/
Here again we lose the distinguishing between the header and body, but I think that is easily worth it to avoid the PCRE MATCHLIMIT problem.
-match http m|^HTTP/1\.0 \d\d\d .*\r\n.*: Quick 'n Easy Web Server\r\n| p/Quick 'n Easy Web Server httpd/ o/Windows/ +match http m|^HTTP/1\.0 \d\d\d .*: Quick 'n Easy Web Server\r\n|s p/Quick 'n Easy Web Server httpd/ o/Windows/
I don't understand the reasoning between ones like this which didn't have the s-modifier in the first place. Previously, it enforced that the Quick 'n Easy line occurred on the 2nd line of the HTTP response. But with the change, it could even occur in the HTTP body. Do you really get the PCRE MATCHLIMIT error in this sort of case where the .* cannot match \r\n in the first place? I guess I don't understand how this particular signature change is an improvement, though I'm not any sort of PCRE expert. I've not checked how many other cases there are like this where the \r\n elimination changes are done on a signature without /s. Cheers, -F _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Re: [nmap-svn] r12911 - nmap Fyodor (Apr 09)
- Re: [nmap-svn] r12911 - nmap Brandon Enright (Apr 09)