Re: [NSE] Vulnerability Scan based on osvdb

[David Fifield <david () bamsoftware com>]

On Thu, May 20, 2010 at 08:44:39AM +0200, Marc Ruef wrote:
> > I'm not aware of any mapping between Nmap-style names and OSVDB names.
> > Nmap's names are meant to be human-readable, so they sometimes have a
> > description of the server type along with the name.
>
> At the moment I am using the following code to find the best product  
> name match:
>
> --- cut ---
>
> local products_words = explode(" ", product)
>
> for x=#products_words, 1, -1 do
>     -- Generate a best match string for the product name
>     for y=1, x, 1 do
>         if products_wordsearch == "" then
>             products_wordsearch = products_words[y]
>         else
>             products_wordsearch = products_wordsearch .. " " ..  
> products_words[y]
>         end
>     end
> end
>
> --- cut ---

For explode, use our standard function stdnse.strsplit.

This code was mysterious to me but I see now what it does. If you
initialize products_wordsearch = "" at each iteration, then the x loop
takes a string like "Apache Tomcat httpd" and generates the successive
values

"Apache Tomcat httpd"
"Apache Tomcat"
"Apache"

That seems reasonable.

> > There are still probably inconsistencies in Nmap's database with regard
> > to naming. If OSVDB's is more consistent, then I would recommend mapping
> > Nmap names to OSVDB names.
>
> I did also contact the moderators of the osvdb mailing list and they  
> informed me about a potential limitation of osvdb (at the moment; thanks  
> to David for the reply):
>
> > -----Original Message-----
> > From: David Shettler [mailto:dave () opensecurityfoundation org]
> > Sent: Thursday, May 20, 2010 2:11 AM
> > To: Marc Ruef
> > Cc: moderators () osvdb org
> > Subject: Re: [OSVDB Mods] [OSVDB] CSV Export Strange Problems
> >
> > (...)
> > object_correlations don't exist for every vulnerability -- mainly because volunteers haven't gotten around to 
> > matching up every vuln to a specific vendor/product.  I'd rely on titles more than object_correlations and 
> > object_vendors, etc.
>
> This means a lookup with high confidence isn't possible anyway. Either way
>
> * I have a high confidence but not all matches or
>
> * I just grep the title strings, get "all" the matches but with a very  
> limited amount of confidence.

I think I prefer the second option. I don't know about "very limited."
Software names tend to be pretty distinct. It should be possible to get
good confidence with just pattern matching and maybe some
canonicalization. We do strive for consistency in nmap-service-probes,
but it's a big database and has had several maintainers, which I'm sure
is true of OSVBD as well.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/