nmap-service-probes matching questions

[Kris Katterjohn <katterjohn () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey everyone,

I've always loved Nmap's Service Detection; it's definitely high on my
list of top features.

I would like to help out with Service Detection if I can, but before any
of that I have some questions that I can't find exact answers to in the
docs.

I've attached a small patch which combines some match lines into one
using alternation.

Questions:

o Is it better to combine matches like I have done with the first two
sets when the difference is small?  Only one word is different between
the matches.

o In the third one, is this how it is done to capture the substrings and
to have them match correctly?  What are the $N values for these?  This
is what it seems like it would be (excluding $1 and $2 which I didn't
touch):

$3 is the outer () capture, which is either "posting ok" or "no posting"
depending on the match
$4 is the first inner () capture, which is "posting ok"
$5 is the second inner () capture, which is "no posting"

Is this correct?

Sorry if these are simple.  I use vi and [e]grep all the time, with awk
and sed fairly often, but I rarely use Perl (gasp!) or anything else
with nested captured substrings so I'm clueless here.

Thanks a lot,
Kris Katterjohn

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIVAwUBR/Jlm/9K37xXYl36AQI9lg/8Dw64mqgVZc/IokQDgcBr9mU+RK9WbSAb
3LGlBu1itljn+LOj+8YRgXYLRWxx1Une6+ZP+BakPaI7cW9gwvXtHiF3kQpIeZ4W
suZ2xA1xarl+tEJA3+QSPS4eR3ytHpJieVfJQ6MIq18oUqKMmH6GCa70Yltf8BEw
+UluO5ZIDRasIT1oqzpUcwA+ZCNCUiDERhDjcuDkp+zwYzFuV+zid7f9JUkZkya0
MbeVLbnctaMxZnGQexi1+4Zs20RbcZhm7WT4ezI6hkcduPAT/xeg/yvD7tIjB47c
kY9hZGrWKECCusf36BUCFNF0CVjMh23RA6mLINEZmnLSPLLSTLYsMlk+WqtBBQcM
hMWZQ6z2u9lKaxaS4Szn+34dW0W0mPiaxULjwN+yD7dNM+3b1ZOwETVH7h4bZ53y
rFJeIq/wZf4sTftJlY/ELHmlo4SxqDanKTEljUE015vQhTG8+TSYzRPxkubyYBLa
aly5f1Y8Xf+aO0GDZlw7BPJ7icy48dlu4iKYeyHPtMvYCfu7twK/+utmIw2VyZ9S
XAebXtY1XYV7DvBeT+zrKoN9bg5MaS7ER86kAOta5eH93YIi6BuNh2PJiIxKgusR
OTQ0DH7L/N2K8eHZX/b7nDiVR+CG4Kw+zzC4Cp9kmS7C+yGeDwr3iU/jPkBqevN+
XNyMQTihOcg=
=c+d+
-----END PGP SIGNATURE-----

Index: nmap-service-probes
===================================================================
--- nmap-service-probes (revision 7027)
+++ nmap-service-probes (working copy)
@@ -201,8 +201,7 @@
 # banners.  These rules should always be well below the detailed rule
 # above.
 match eggdrop m|\(Eggdrop v([\d.]+) \(C\) 1997 Robey Pointer.*Eggheads|s p/Eggdrop IRC bot console/ v/$1/
-match eggdrop m|\(Eggdrop v([\d.]+)\+ipv6 \(C\) 1997 Robey Pointer.*Eggheads|s p/Eggdrop IRC bot console with ipv6/ 
v/$1/
-match eggdrop m|\(Eggdrop v([\d.]+)\+SSL \(C\) 1997 Robey Pointer.*Eggheads|s p/Eggdrop IRC bot console with SSL/ v/$1/
+match eggdrop m|\(Eggdrop v([\d.]+)\+(ipv6|SSL) \(C\) 1997 Robey Pointer.*Eggheads|s p/Eggdrop IRC bot console with 
$2/ v/$1/
 match eggdrop m|\(Eggdrop v([\d.]+)\+rc(\d+) \(C\) 1997 Robey Pointer.*Eggheads|s p/Eggdrop IRC bot console/ v/$1 rc 
$2/
 match eggdrop m=\(Eggdrop v([\d.]+)\+(STEALER\.net|Gentoo) \(C\) 1997 Robey Pointer.*Eggheads=s p/Eggdrop IRC bot 
console with Gentoo patches/ v/$1/ o/Linux/ i/Gentoo/
 
@@ -256,8 +255,7 @@
 match ftp m|^220 ([-.\w]+) FTP server \(GNU inetutils (\d[-.\w ]+)\) ready\.\r\n| p/GNU Inetutils FTPd/ v/$2/ h/$1/
 match ftp m|^220 .* \(glftpd (\d[-.0-9a-zA-Z]+)_(\w+)(\+TLS)?\) ready\.\r\n| p/glFTPd/ v/$1/ i/$2/ o/Unix/
 match ftp m|^220 .* \(glFTPd (\d[-.0-9a-zA-Z]+)_(\w+) Linux\+TLS\) ready\.?\r\n| p/glFTPd/ v/$1/ i/$2/ o/Linux/
-match ftp m|^220 .* \(glFTPd (\d[-.0-9a-zA-Z]+) Linux\+TLS\) ready\.\r\n| p/glFTPd/ v/$1/ o/Linux/
-match ftp m|^220 .* \(glFTPd (\d[-.0-9a-zA-Z]+) FreeBSD\+TLS\) ready\.\r\n| p/glFTPd/ v/$1/ o/FreeBSD/
+match ftp m/^220 .* \(glFTPd (\d[-.0-9a-zA-Z]+) (Linux|FreeBSD)\+TLS\) ready\.\r\n/ p/glFTPd/ v/$1/ o/$2/
 match ftp m|^220 ([-.\w]+) FTP server \(FirstClass v(\d[-.\w]+)\) ready\.\r\n| p/FirstClass FTP server/ h/$1/ v/$2/
 match ftp m|^220 ([-.\w]+) FTP server \(Compaq Tru64 UNIX Version (\d[-.\w]+)\) ready\.\r\n| p/Compaq Tru64 ftp 
server/ h/$1/ v/$2/ o/Tru64 UNIX/
 match ftp m|^220 AXIS ([-.\w]+) FTP Network Print Server V(\d[-.\w]+) [A-Z][a-z]| p/Axis network print server ftpd/ 
v/$2/ i/Model $1/ d/print server/
@@ -1068,8 +1066,7 @@
 match nntp m|^502 Connection refused\r\n| p/Microsoft NNTP Service/ i/refused/ o/Windows/
 # Windows NT 4.0 SP5-SP6 
 match nntp m|^20[01] Microsoft Exchange Internet News Service Version (\d\.\d\.[.\d]+) \((.*)\)\r\n| p/Microsoft 
Exchange Internet News Service/ v/$1/ i/$2/ o/Windows/
-match nntp m|^20. ([-.\w]+) InterNetNews NNRP server INN (\d[-.\w ]+) ready \(posting ok\)\.\r\n| p/InterNetNews 
(INN)/ h/$1/ v/$2/ i/posting ok/
-match nntp m|^20. ([-.\w]+) InterNetNews NNRP server INN (\d[-.\w ]+) ready \(no posting\)\.\r\n| p/InterNetNews 
(INN)/ h/$1/ v/$2/ i/no posting/
+match nntp m|^20. ([-.\w]+) InterNetNews NNRP server INN (\d[-.\w ]+) ready \(((posting ok)|(no posting))\)\.\r\n| 
p/InterNetNews (INN)/ h/$1/ v/$2/ i/$3/
 match nntp m|^200 ArGoSoft News Server for WinNT/2000/XP v ([\d.]+) ready\r\n| p/ArGoSoft nntpd/ v/$1/ o/Windows/
 match nntp m|^400 No space left on device writing SMstore file -- throttling\r\n| p/InterNetNews (INN)/ i/HDD full/
 match nntp m/^200 NNTP-Server Classic Hamster (Vr\.|Version) \d[-.\w ]+ \(Build (\d[-.\w ]+)\) \(post ok\) says: 
Hi!\r\n/ p/Classic Hamster NNTPd/ v/$2/ i/posting ok/ o/Windows/


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org