Re: nse unusual-port ident bug

[Fyodor <fyodor () insecure org>]

On Sat, Nov 26, 2011 at 07:07:11PM +0100, Patrik Karlsson wrote:
> In this case, the entry in nmap-services says "auth" while the
> service/version scan recognizes the port as "ident".  While, to the
> best of my knowledge, this is essentially the same service there's a
> discrepancy between the entries in the file nmap-services and
> nmap-service-probes.

One thing that might help is to search the whole nmap-services entry
(including comments) for the discovered service name.  Aliases and
alternatives for a given port number are often listed in the comment
section of each line.  For example, port 113 looked like:

auth    113/tcp 0.012370        # ident, tap, Authentication Service

So you would have found ident there if you had searched the whole
line.  Of course I've now changed the name to ident for consistency
with version detection results, so this particular example is moot.
But there are many other cases where alternatives are listed in the
comments.  And if you find cases where they aren't, you could add them
to the comments (remember to edit /nmap-private-dev/nmap-services-all
rather than /nmap/nmap-services directly).  This could possibly avoid
the need for a whitelist (though a whitelist isn't really a bad idea
either).

Cheers,
Fyodor
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/