Re: More Service Detection notes: HTTP, FTP, DNS, etc

[Fyodor <fyodor () insecure org>]

On Mon, May 08, 2006 at 11:12:52PM -0700, doug () hcsw org wrote:
> Here are some more notes on this last batch of fingerprints:
>
> http://hcsw.org/blog.pl?a=13&b=16

I'm still reading :).  You note:

> I finally made the difficult decision to re-include apt-proxy into the
> probes file. This is, unfortunatley, too general of a match line and
> results in a few (I hope) extremely rare mis-identifications. The
> sheer number of independant submissions (20+) convinced me!
>
> # This one can cause false results!
> match http m|^HTTP/1\.0 404 Not Found\r\nConnection: close\r\n\r\n$| p/apt-proxy httpd/

Does any one here know what sort of request apt-proxy expects?  If
there is a path which always exists there, we could add a special
high-rarity probe for it near the end of the file.  If someone wants
to sniff a session against such a server, we may be able to do the
rest.  I share Doug's worry that this line will prove to be too
general.  But you never know!  Maybe it really is unique to apt-proxy.

Cheers,
-F


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev