Re: NIST CPE

[David Fifield <david () bamsoftware com>]

On Wed, Mar 30, 2011 at 02:36:50PM +0200, Henri Doreau wrote:
> I am currently working to improve host and service detection within
> OpenVAS. CPEs are a key point in this task and one of my aims is to
> add CPE support for Nmap (upon which OpenVAS relies heavily).
>
> 2011/3/27 David Fifield <david () bamsoftware com>:
> > On Thu, Mar 24, 2011 at 04:42:26AM +0530, ambarisha b wrote:
> > > 2. The script doesn't try to use the Fingerprint line from each
> > > fingerprint.I can see that we don't strictly follow a format,
> > > nevertheless , there is a specific format we "try" to stick to while
> > > writing the Fingerprint line.May be we can try to match the
> > > Fingerprint line with the human-readable tag in the dictionary(I don't
> > > mean a "cold" complete line match here).This ,ofcourse, would
> > > introduce some amount of doubt about the accuracy.
> >
> > This is a good idea and it would be great to see an implementation of
> > it. The matching doesn't have to be perfect, only good enough to save a
> > human lots of work. It's fine if a few names still need to be handled
> > manually. Instead of matching dictionary descriptions, I would just
> > build another map or common patterns that we use (like "SP2") to CPE
> > components. This makes it a little more complicated because one
> > Fingerprint line can correspond to multiple CPE names. For example,
> > "Microsoft Windows XP SP2 - SP3" would become
> >        cpe:/o:microsoft:windows_xp::sp2
> >        cpe:/o:microsoft:windows_xp::sp3
> > This is even worse with names like "Linux 2.6.9 - 2.6.14".
> This is the way I am following. It's too early for me to release any
> result or conclusion but I wrote a proof of concept library that
> performs CPE lookups in the official dictionary. It relies on several
> parameters to do fuzzy matching between CPE titles and a free form
> description. The most important one is the "Levenstein distance" but I
> have also added other empirically determined tests (like weighting a
> match on the OS/application name more than the version numbers for
> instance).

Henri, I'm sure you know more about how CPE is actually used than most
of us. In your opinion, would a partial result like
cpe:/o:microsoft:windows_xp be useful to people (better than nothing),
or are they going to want more precise information like
cpe:/o:microsoft:windows_xp::sp3.

It seems like offering even a little bit of information is useful, but
if someone has the CPE hooked up to a vulnerability database or
something, they may not want to see spurious alerts about Windows XP
when the OS is actually Windows XP SP3 and already has the vulnerability
fixed.

I'm trying to get information on whether it would be better to at first
implement very easy, but incomplete, CPE (like the cpeify-os.py script);
or if the output needs to be mostly complete to begin with.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/