Re: HP-PJL softmatch line

[Fyodor <fyodor () insecure org>]

On Sat, Jun 05, 2010 at 01:12:43PM -0500, Tom Sellers wrote:
> I would like some feedback on following HP-PJL softmatch line:
>
> # We don't want to send a bunch more probes that will be printed
> softmatch hp-pjl m|^| i/hp-pjl probe got something back/
>
> In my scanning scenario, scanning all ports and using --version-all,
> it is generating numerous hits and changing the service field to
> hp-pjl.  There are many cases, for example ports 21 and 80, where
> that changes what scripts trigger against a port.

Hi Tom.  That line (along with the HP-PJL probe it corresponds to was
added last august (r15334).  The commit comment says the probe "is
inactive at the moment because its ports 9100-9107 are in the default
Exclude list. (In fact, they are the default exclude list.) Users will
have to comment out the Exclude line to test these."

But it may have been forgotten that the probe will still be tried for
non-blocked ports after all the "probable ports" are tried and failed,
if you use --version-all.  That option is needed because the rarity
value for this probe is 9.

This softmatch is clearly problematic, as your tests show.  And nobody
has defended this signature in the last 4 days, so I'll comment it
out.  I suppose it might be useful for someone to enable in cases
where they are intentionally testing hp-pjl ports.

Anyway, thanks for the report!  Sometimes people ignore small/obscure
issues like this, but it is better to get them fixed.

Cheers,
-F
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/