Nmap Development mailing list archives
Re: [PATCH] Match line update for Famatech Radmin remote control
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Wed, 10 Jun 2009 16:42:42 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 10 Jun 2009 06:36:58 -0500 or thereabouts Tom Sellers <nmap () fadedcode net> wrote:
Brandon Enright wrote:Hey Tom, this patch looks really good but before I check it in, I have a question about the softmatch. Is "m|^\x01\x00\x00\x00\x25|" broken? Your change to "m|^\x01\x00\x00\x00.{3}\x02\x12\x08\x02|" is a lot more specific. Is there a case where the original would match but your change won't?Thanks for catching the mistake Brandon! How embarrassing to attempt to fix a match line only to botch it. The original softmatch line would fail on Radmin 3.x, the new one would not, had it been correct.
Don't worry about it, all of us who work on nmap-service-probes make a lot of them. Something about trying to construct fast, generic regular expressions from limited data seems to encourage mistakes ;-)
A better softmatch would be:
softmatch radmin m|^\x01\x00\x00\x00.{5}\x08.\x00| p/Famatech Radmin/
o/Windows/
I started counting bytes and trying to decide if this was a good
match. It seems to work it would need to be ".{4}", not 5.
If you think that the line is too generic I can alter it to include options for the two values I have seen at position 8 (x01 and x02), 9 (x10 and x12) and 11 (x01 and x02). My concern is that a new minor release would come out and change those fields, breaking the softmatch.
I wouldn't say it's too generic, it just doesn't capture the structure to what is changing very well. I'd propose changing it to: softmatch radmin m|^\x01\x00\x00\x00\x25.\x00..\x08.\x00..| p/Famatech Radmin/ o/Windows/ Also, I noticed your new match lines use ASCII where possible even though the old matches do things like \x79 instead of 'y'. I converted your match lines over to escaped bytes because I think it makes the field numbers a lot more obvious between different matches. Attached is a new patch with my proposed changes. If you think it will work well I'll go ahead and check it in. Regards, Brandon -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (GNU/Linux) iEYEARECAAYFAkov4pMACgkQqaGPzAsl94LHSACgiR3DK/8155VPvpTKZBljGUO2 hmkAn3wIPfiz+3eie1fWMWbjH8nlew+C =9zcR -----END PGP SIGNATURE-----
Attachment:
radmin.diff
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [PATCH] Match line update for Famatech Radmin remote control Tom Sellers (Jun 09)
- Re: [PATCH] Match line update for Famatech Radmin remote control Brandon Enright (Jun 09)
- Re: [PATCH] Match line update for Famatech Radmin remote control Tom Sellers (Jun 10)
- Re: [PATCH] Match line update for Famatech Radmin remote control Brandon Enright (Jun 10)
- Re: [PATCH] Match line update for Famatech Radmin remote control Brandon Enright (Jun 10)
- Re: [PATCH] Match line update for Famatech Radmin remote control Tom Sellers (Jun 10)
- Re: [PATCH] Match line update for Famatech Radmin remote control Brandon Enright (Jun 09)