Re: "version" scripts running after successful version detection

[Toni Ruottu <toni.ruottu () iki fi>]

I suppose a version script could be more accurate than a probe. Some
version scripts also produce other results, at least if script scan is
enabled too. This makes me think that disabling version scripts for
identified services seems risky.

On Tue, Jul 17, 2012 at 3:58 AM, David Fifield <david () bamsoftware com> wrote:
> I notice that the script http-huawei-hg5xx-vuln is running for every -sV
> scan that finds an HTTP port. It's adding things to HTTP logs that look
> like this:
>
> 127.0.0.1 - - [16/Jul/2012:17:52:18 -0700] "GET /nmaplowercheck1342486338 HTTP/1.1" 404 0 "" "Mozilla/5.0 
> (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html)"
> 127.0.0.1 - - [16/Jul/2012:17:52:18 -0700] "GET /Listadeparametros.html HTTP/1.1" 404 0 "" "Mozilla/5.0 (compatible; 
> Nmap Scripting Engine; http://nmap.org/book/nse.html)"
>
> The script is running because it belongs to the "version" category. This
> is happening even when normal version scan finds a match. I had thought
> that NSE would not run "version" scripts for services that already have
> a match, but that appears not to be the case. The sample script at
> http://nmap.org/book/nse-vscan.html#nse-skypev2-script does this check
> in the portrule; are all scripts supposed to check in this way?
>
> In any event, it seems we shouldn't be running this script as often as
> it is being run.
>
> David Fifield
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/