Nmap Development mailing list archives

Re: Quake 3 query script submission

From: Brandon Enright <bmenrigh () ucsd edu>
Date: Mon, 25 Jan 2010 06:25:32 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sun, 24 Jan 2010 17:05:55 -0600 or thereabouts Mak Kolybabi
<mak () kolybabi com> wrote:

On 2010-01-18 12:35, David Fifield wrote:

If you know of a probe for server status or something like that,
send it to us and we may add it to nmap-service-probes. If it's a
safe probe without side effects, we can add it to the UDP payloads
list too. That will make scanning for game servers quick and
accurate.


I've decided to give up on that script. Instead, as suggested, I've
made a number of service probes that can detect the game servers. For
example:

PORT      STATE SERVICE     VERSION
26000/udp open  nexuiz      Nexuiz
27960/udp open  urbanterror Urban Terror ioQ3 1.35urt freebsd-amd64
Sep  6 2009

The patch for nmap-service-probes is attached. The ports defined for
these probes are usually the default ports the servers use, with some
wiggle room on either side.

These probes should not have any side effects.

--
Matthew Anthony Kolybabi (Mak)



Hi Mak,

Overall this patch looks pretty good.  I have a couple of questions
though.  First, you changed the generic Quake 3 match to a softmatch.
Is the idea here that we can get fingerprints for more specific matches?

Also, on all of your Quake3 and Quake2 probe matches, you don't use any
anchors.  Previous testing has shown matches without anchors are a few
orders of magnitude slower.

For example:

match nexuiz m|\\gamename\\Nexuiz| p/Nexuiz/

If you could do something like m|^\xff+\\gamename\\Nexuiz| the match
would be much, much faster.  What sort of content are you matching
against here?  If the best that can be added is .* then there is no
point.

Missing anchors is not a show-stopper but if we can do better, we
should.

Regards,

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEARECAAYFAktdOWQACgkQqaGPzAsl94Kx/gCfa7CAcxJ+fjRTVg18h9aDty9l
E10AoMSulx1RXfWkqUfEXZAqTibqtyFt
=oiMS
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Quake 3 query script submission Mak Kolybabi (Jan 16)
- Re: Quake 3 query script submission Fyodor (Jan 17)
  - Re: Quake 3 query script submission Mak Kolybabi (Jan 18)
- Re: Quake 3 query script submission David Fifield (Jan 18)
  - Re: Quake 3 query script submission Mak Kolybabi (Jan 18)
    - Re: Quake 3 query script submission David Fifield (Jan 18)
    - Re: Quake 3 query script submission Mak Kolybabi (Jan 24)
    - Re: Quake 3 query script submission Brandon Enright (Jan 24)
    - Re: Quake 3 query script submission Mak Kolybabi (Jan 25)
    - Re: Quake 3 query script submission David Fifield (Jan 26)
    - Re: Quake 3 query script submission Mak Kolybabi (Jan 29)
    - Re: Quake 3 query script submission David Fifield (Jan 29)