Service match for identd incorrectly labeling systems as Windows.

[Daniel Miller <bonsaiviking () gmail com>]

List,

A user has reported that Nmap incorrectly labeled a Debian system as
Windows when he scanned it with -sV. The system had port 113/tcp open,
running an identd that matched line 4653 in nmap-service-probes:

match ident m|^ : USERID : UNIX : [a-z]{4,8}\r\n$| o/Windows/
cpe:/o:microsoft:windows/a

Now this is problematic for several reasons:

1. there is no product listed. Even if it is "Windows identd" there should
be something there.

2. It's matching an identd on Debian 7 "wheezy" but says it's for Windows.

As it stands, this is basically a useless test. We have X possible ways
ahead:

1. Remove the o/Windows/ and cpe from the line and make it a softmatch,
since there is no better info available.

2. Find the service this was written for and make a more-specific match
line, including product name.

3. Find the service on Debian that matches this and rewrite the line to
match that service instead.

Thoughts, information, tests?

Dan
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/