Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Coherence of Version Detection

From: David Fifield <david () bamsoftware com>
Date: Mon, 3 May 2010 09:45:20 -0600
On Fri, Apr 30, 2010 at 09:43:42AM +0200, Marc Ruef wrote:

We did a large-scale scan recently (houndreds of internal hosts). To  
moderate and report the results, we use a self-written parsing-script to  
import all xml data into a database (it is more an expert system). [1]

During the moderation process we identified that version detection of  
nmap is determining IIS web servers differently. The identifier strings  
are (nmap 5.21 used):

* Microsoft IIS httpd
* Microsoft IIS httpd 6.0
* Microsoft IIS httpd 7.5
* Microsoft IIS webserver 6.0
* Microsoft IIS webserver 7.5

It looks like the same version is reported with different names: Once as  
"httpd x.y" and once as "webserver x.y".

I was crawling through nmap-service-probes to identify the affected  
entries. Is there a reason why there is a different naming? Of not,  
wouldn't it be a good idea to normalize the naming convention as far as  
possible?


There's no reason for the different naming. It's just a big database and
sometimes older entries don't match the style of newer entries. We fix
these if we become aware of them. I've gone through and modified all the
"webserver" entries, in most cases updating them to "httpd".

The latest copy of the file is at http://nmap.org/svn/nmap-service-probes.
It is likely to change more in the coming week because I am still in the
middle of a round of integrating the latest submitted signatures.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: