Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Coherence of Version Detection

From: Michael Pattrick <mpattrick () rhinovirus org>
Date: Sat, 1 May 2010 16:41:49 -0400
A quick grep of the SVN blame reveals that 'webserver' is only used
twice, both committed in r2751(19/07/2005) and all IIS signatures
since then have used 'httpd'. Further inspection reveals that some of
the httpd signatures are almost identical to the webserver ones. All
signatures should be changed to httpd.

-M

On Fri, Apr 30, 2010 at 3:43 AM, Marc Ruef <marc.ruef () computec ch> wrote:

Hello,

We did a large-scale scan recently (houndreds of internal hosts). To
moderate and report the results, we use a self-written parsing-script to
import all xml data into a database (it is more an expert system). [1]

During the moderation process we identified that version detection of nmap
is determining IIS web servers differently. The identifier strings are (nmap
5.21 used):

* Microsoft IIS httpd
* Microsoft IIS httpd 6.0
* Microsoft IIS httpd 7.5
* Microsoft IIS webserver 6.0
* Microsoft IIS webserver 7.5

It looks like the same version is reported with different names: Once as
"httpd x.y" and once as "webserver x.y".

I was crawling through nmap-service-probes to identify the affected entries.
Is there a reason why there is a different naming? Of not, wouldn't it be a
good idea to normalize the naming convention as far as possible?

Otherwise, we would have to do this ourselves to provide the possibility of
software inventory reports. In this case we would maintain
nmap-service-probes ourselves or change the data during parsing.

Regards,

Marc

[1] The basic idea is summarized at http://www.scip.ch/?labs.20090814
(focussing on Qualys Scan; German only).

--
Marc Ruef | marc.ruef () computec ch | http://www.computec.ch/mruef/
_________________________________________________________________
Meine letzte Publikation: "Der Cyberstalker"
http://www.computec.ch/news.php?item.326
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: