Nmap Development mailing list archives

Re: [NSE] hadoop-* / hbase-* - false positives

From: David Fifield <david () bamsoftware com>
Date: Mon, 4 Mar 2013 21:55:46 -0800

On Sat, Mar 02, 2013 at 06:41:31PM +0100, John Bond wrote:

Thanks for the feedback, i need to look at these scritps again because they
are broken with the latest releases of hadoop/hbase.


Can you elaborate more on this? Should we disable these scripts until
they work again?

In the case of these scripts the issue is somewhat more problematic
as they overwrite any fingerprint that has already been applied to the
port.

I have to admit im not sure what the etiquette is here. if my script is
confident that of what service is running on a port then it should
overwrite the description  (in this case i admit my script is being a bit
arrogant).  Im not sure what should happen if 2 scripts claim confidence
about the same port port.  At the moment im not sure how to handle this,
sorry if i have missed something.

It would be nice to have a system where you could register how confident
you where that the service was yours.  i.e. my script runs and says it is
70% confident, your script runs says it is 95% confident.  standard view
shows highest match, if there are two scripts that claim the same score
they are both displayed.  extra -v switches shows the other candidates


Don't make it complicated. The best solution is to fix the false
positivies and just set the version unconditionally.

These scripts should probably be reworked to positively match content
that is known to always been on pages.  Alternately, the version detection
logic should be moved further down in the logic after a more solid match is
made.  For example, in hbase-master-info.nse, on lines 70 and 71 the port
name and version are overwritten.  This should probably be moved down into
body:match sections below.

agreed should be an easy fix, wil send a patch in tomorrow so it stops

annoying you.  i will also try to work onupdating the script for newer
versions of hadoop/hbase/flume


Do you have a patch ready?

David Fifield
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

[NSE] hadoop-* / hbase-* - false positives Tom Sellers (Mar 02)
- Re: [NSE] hadoop-* / hbase-* - false positives Tom Sellers (Mar 02)
- Re: [NSE] hadoop-* / hbase-* - false positives John Bond (Mar 02)
  - Re: [NSE] hadoop-* / hbase-* - false positives David Fifield (Mar 04)
    - Re: [NSE] hadoop-* / hbase-* - false positives John Bond (Mar 05)
    - Re: [NSE] hadoop-* / hbase-* - false positives David Fifield (Mar 05)
    - Re: [NSE] hadoop-* / hbase-* - false positives Tom Sellers (Mar 05)