Nmap Development mailing list archives
nmap-service-probes matching questions
From: Kris Katterjohn <katterjohn () gmail com>
Date: Tue, 01 Apr 2008 11:41:00 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey everyone, I've always loved Nmap's Service Detection; it's definitely high on my list of top features. I would like to help out with Service Detection if I can, but before any of that I have some questions that I can't find exact answers to in the docs. I've attached a small patch which combines some match lines into one using alternation. Questions: o Is it better to combine matches like I have done with the first two sets when the difference is small? Only one word is different between the matches. o In the third one, is this how it is done to capture the substrings and to have them match correctly? What are the $N values for these? This is what it seems like it would be (excluding $1 and $2 which I didn't touch): $3 is the outer () capture, which is either "posting ok" or "no posting" depending on the match $4 is the first inner () capture, which is "posting ok" $5 is the second inner () capture, which is "no posting" Is this correct? Sorry if these are simple. I use vi and [e]grep all the time, with awk and sed fairly often, but I rarely use Perl (gasp!) or anything else with nested captured substrings so I'm clueless here. Thanks a lot, Kris Katterjohn -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIVAwUBR/Jlm/9K37xXYl36AQI9lg/8Dw64mqgVZc/IokQDgcBr9mU+RK9WbSAb 3LGlBu1itljn+LOj+8YRgXYLRWxx1Une6+ZP+BakPaI7cW9gwvXtHiF3kQpIeZ4W suZ2xA1xarl+tEJA3+QSPS4eR3ytHpJieVfJQ6MIq18oUqKMmH6GCa70Yltf8BEw +UluO5ZIDRasIT1oqzpUcwA+ZCNCUiDERhDjcuDkp+zwYzFuV+zid7f9JUkZkya0 MbeVLbnctaMxZnGQexi1+4Zs20RbcZhm7WT4ezI6hkcduPAT/xeg/yvD7tIjB47c kY9hZGrWKECCusf36BUCFNF0CVjMh23RA6mLINEZmnLSPLLSTLYsMlk+WqtBBQcM hMWZQ6z2u9lKaxaS4Szn+34dW0W0mPiaxULjwN+yD7dNM+3b1ZOwETVH7h4bZ53y rFJeIq/wZf4sTftJlY/ELHmlo4SxqDanKTEljUE015vQhTG8+TSYzRPxkubyYBLa aly5f1Y8Xf+aO0GDZlw7BPJ7icy48dlu4iKYeyHPtMvYCfu7twK/+utmIw2VyZ9S XAebXtY1XYV7DvBeT+zrKoN9bg5MaS7ER86kAOta5eH93YIi6BuNh2PJiIxKgusR OTQ0DH7L/N2K8eHZX/b7nDiVR+CG4Kw+zzC4Cp9kmS7C+yGeDwr3iU/jPkBqevN+ XNyMQTihOcg= =c+d+ -----END PGP SIGNATURE-----
Index: nmap-service-probes =================================================================== --- nmap-service-probes (revision 7027) +++ nmap-service-probes (working copy) @@ -201,8 +201,7 @@ # banners. These rules should always be well below the detailed rule # above. match eggdrop m|\(Eggdrop v([\d.]+) \(C\) 1997 Robey Pointer.*Eggheads|s p/Eggdrop IRC bot console/ v/$1/ -match eggdrop m|\(Eggdrop v([\d.]+)\+ipv6 \(C\) 1997 Robey Pointer.*Eggheads|s p/Eggdrop IRC bot console with ipv6/ v/$1/ -match eggdrop m|\(Eggdrop v([\d.]+)\+SSL \(C\) 1997 Robey Pointer.*Eggheads|s p/Eggdrop IRC bot console with SSL/ v/$1/ +match eggdrop m|\(Eggdrop v([\d.]+)\+(ipv6|SSL) \(C\) 1997 Robey Pointer.*Eggheads|s p/Eggdrop IRC bot console with $2/ v/$1/ match eggdrop m|\(Eggdrop v([\d.]+)\+rc(\d+) \(C\) 1997 Robey Pointer.*Eggheads|s p/Eggdrop IRC bot console/ v/$1 rc $2/ match eggdrop m=\(Eggdrop v([\d.]+)\+(STEALER\.net|Gentoo) \(C\) 1997 Robey Pointer.*Eggheads=s p/Eggdrop IRC bot console with Gentoo patches/ v/$1/ o/Linux/ i/Gentoo/ @@ -256,8 +255,7 @@ match ftp m|^220 ([-.\w]+) FTP server \(GNU inetutils (\d[-.\w ]+)\) ready\.\r\n| p/GNU Inetutils FTPd/ v/$2/ h/$1/ match ftp m|^220 .* \(glftpd (\d[-.0-9a-zA-Z]+)_(\w+)(\+TLS)?\) ready\.\r\n| p/glFTPd/ v/$1/ i/$2/ o/Unix/ match ftp m|^220 .* \(glFTPd (\d[-.0-9a-zA-Z]+)_(\w+) Linux\+TLS\) ready\.?\r\n| p/glFTPd/ v/$1/ i/$2/ o/Linux/ -match ftp m|^220 .* \(glFTPd (\d[-.0-9a-zA-Z]+) Linux\+TLS\) ready\.\r\n| p/glFTPd/ v/$1/ o/Linux/ -match ftp m|^220 .* \(glFTPd (\d[-.0-9a-zA-Z]+) FreeBSD\+TLS\) ready\.\r\n| p/glFTPd/ v/$1/ o/FreeBSD/ +match ftp m/^220 .* \(glFTPd (\d[-.0-9a-zA-Z]+) (Linux|FreeBSD)\+TLS\) ready\.\r\n/ p/glFTPd/ v/$1/ o/$2/ match ftp m|^220 ([-.\w]+) FTP server \(FirstClass v(\d[-.\w]+)\) ready\.\r\n| p/FirstClass FTP server/ h/$1/ v/$2/ match ftp m|^220 ([-.\w]+) FTP server \(Compaq Tru64 UNIX Version (\d[-.\w]+)\) ready\.\r\n| p/Compaq Tru64 ftp server/ h/$1/ v/$2/ o/Tru64 UNIX/ match ftp m|^220 AXIS ([-.\w]+) FTP Network Print Server V(\d[-.\w]+) [A-Z][a-z]| p/Axis network print server ftpd/ v/$2/ i/Model $1/ d/print server/ @@ -1068,8 +1066,7 @@ match nntp m|^502 Connection refused\r\n| p/Microsoft NNTP Service/ i/refused/ o/Windows/ # Windows NT 4.0 SP5-SP6 match nntp m|^20[01] Microsoft Exchange Internet News Service Version (\d\.\d\.[.\d]+) \((.*)\)\r\n| p/Microsoft Exchange Internet News Service/ v/$1/ i/$2/ o/Windows/ -match nntp m|^20. ([-.\w]+) InterNetNews NNRP server INN (\d[-.\w ]+) ready \(posting ok\)\.\r\n| p/InterNetNews (INN)/ h/$1/ v/$2/ i/posting ok/ -match nntp m|^20. ([-.\w]+) InterNetNews NNRP server INN (\d[-.\w ]+) ready \(no posting\)\.\r\n| p/InterNetNews (INN)/ h/$1/ v/$2/ i/no posting/ +match nntp m|^20. ([-.\w]+) InterNetNews NNRP server INN (\d[-.\w ]+) ready \(((posting ok)|(no posting))\)\.\r\n| p/InterNetNews (INN)/ h/$1/ v/$2/ i/$3/ match nntp m|^200 ArGoSoft News Server for WinNT/2000/XP v ([\d.]+) ready\r\n| p/ArGoSoft nntpd/ v/$1/ o/Windows/ match nntp m|^400 No space left on device writing SMstore file -- throttling\r\n| p/InterNetNews (INN)/ i/HDD full/ match nntp m/^200 NNTP-Server Classic Hamster (Vr\.|Version) \d[-.\w ]+ \(Build (\d[-.\w ]+)\) \(post ok\) says: Hi!\r\n/ p/Classic Hamster NNTPd/ v/$2/ i/posting ok/ o/Windows/
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- nmap-service-probes matching questions Kris Katterjohn (Apr 01)
- Re: nmap-service-probes matching questions doug (Apr 02)
- Re: nmap-service-probes matching questions Kris Katterjohn (Apr 02)
- Re: nmap-service-probes matching questions doug (Apr 02)