Nmap Development mailing list archives
Re: Coherence of Version Detection
From: Michael Pattrick <mpattrick () rhinovirus org>
Date: Sat, 1 May 2010 16:41:49 -0400
A quick grep of the SVN blame reveals that 'webserver' is only used twice, both committed in r2751(19/07/2005) and all IIS signatures since then have used 'httpd'. Further inspection reveals that some of the httpd signatures are almost identical to the webserver ones. All signatures should be changed to httpd. -M On Fri, Apr 30, 2010 at 3:43 AM, Marc Ruef <marc.ruef () computec ch> wrote:
Hello, We did a large-scale scan recently (houndreds of internal hosts). To moderate and report the results, we use a self-written parsing-script to import all xml data into a database (it is more an expert system). [1] During the moderation process we identified that version detection of nmap is determining IIS web servers differently. The identifier strings are (nmap 5.21 used): * Microsoft IIS httpd * Microsoft IIS httpd 6.0 * Microsoft IIS httpd 7.5 * Microsoft IIS webserver 6.0 * Microsoft IIS webserver 7.5 It looks like the same version is reported with different names: Once as "httpd x.y" and once as "webserver x.y". I was crawling through nmap-service-probes to identify the affected entries. Is there a reason why there is a different naming? Of not, wouldn't it be a good idea to normalize the naming convention as far as possible? Otherwise, we would have to do this ourselves to provide the possibility of software inventory reports. In this case we would maintain nmap-service-probes ourselves or change the data during parsing. Regards, Marc [1] The basic idea is summarized at http://www.scip.ch/?labs.20090814 (focussing on Qualys Scan; German only). -- Marc Ruef | marc.ruef () computec ch | http://www.computec.ch/mruef/ _________________________________________________________________ Meine letzte Publikation: "Der Cyberstalker" http://www.computec.ch/news.php?item.326 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Coherence of Version Detection Marc Ruef (May 01)
- Re: Coherence of Version Detection Michael Pattrick (May 01)
- Re: Coherence of Version Detection David Fifield (May 03)