Nmap Development mailing list archives
Re: [NSE] Vulnerability Scan based on osvdb
From: David Fifield <david () bamsoftware com>
Date: Thu, 20 May 2010 07:49:21 -0600
On Thu, May 20, 2010 at 08:44:39AM +0200, Marc Ruef wrote:
I'm not aware of any mapping between Nmap-style names and OSVDB names. Nmap's names are meant to be human-readable, so they sometimes have a description of the server type along with the name.At the moment I am using the following code to find the best product name match: --- cut --- local products_words = explode(" ", product) for x=#products_words, 1, -1 do -- Generate a best match string for the product name for y=1, x, 1 do if products_wordsearch == "" then products_wordsearch = products_words[y] else products_wordsearch = products_wordsearch .. " " .. products_words[y] end end end --- cut ---
For explode, use our standard function stdnse.strsplit. This code was mysterious to me but I see now what it does. If you initialize products_wordsearch = "" at each iteration, then the x loop takes a string like "Apache Tomcat httpd" and generates the successive values "Apache Tomcat httpd" "Apache Tomcat" "Apache" That seems reasonable.
There are still probably inconsistencies in Nmap's database with regard to naming. If OSVDB's is more consistent, then I would recommend mapping Nmap names to OSVDB names.I did also contact the moderators of the osvdb mailing list and they informed me about a potential limitation of osvdb (at the moment; thanks to David for the reply):-----Original Message----- From: David Shettler [mailto:dave () opensecurityfoundation org] Sent: Thursday, May 20, 2010 2:11 AM To: Marc Ruef Cc: moderators () osvdb org Subject: Re: [OSVDB Mods] [OSVDB] CSV Export Strange Problems (...) object_correlations don't exist for every vulnerability -- mainly because volunteers haven't gotten around to matching up every vuln to a specific vendor/product. I'd rely on titles more than object_correlations and object_vendors, etc.This means a lookup with high confidence isn't possible anyway. Either way * I have a high confidence but not all matches or * I just grep the title strings, get "all" the matches but with a very limited amount of confidence.
I think I prefer the second option. I don't know about "very limited." Software names tend to be pretty distinct. It should be possible to get good confidence with just pattern matching and maybe some canonicalization. We do strive for consistency in nmap-service-probes, but it's a big database and has had several maintainers, which I'm sure is true of OSVBD as well. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Vulnerability Scan based on osvdb Marc Ruef (May 19)
- Re: [NSE] Vulnerability Scan based on osvdb David Fifield (May 19)
- Re: [NSE] Vulnerability Scan based on osvdb Marc Ruef (May 19)
- Re: [NSE] Vulnerability Scan based on osvdb David Fifield (May 20)
- Re: [NSE] Vulnerability Scan based on osvdb Marc Ruef (May 20)
- Re: [NSE] Vulnerability Scan based on osvdb David Fifield (May 21)
- Re: [NSE] Vulnerability Scan based on osvdb Marc Ruef (May 21)
- Re: [NSE] Vulnerability Scan based on osvdb Marc Ruef (May 19)
- Re: [NSE] Vulnerability Scan based on osvdb David Fifield (May 19)