Nmap Development mailing list archives
Re: service-probe question: FTP services
From: Fyodor <fyodor () insecure org>
Date: Tue, 3 Feb 2009 20:02:30 -0800
On Wed, Feb 04, 2009 at 12:10:27AM +0000, doug () hcsw org wrote:
Also, the following match line: match smtp m|^220 $| p/OpenBSD spamd/ will trigger incorrectly on match ftp m|^220 IB-21E Ver ([\d.]+) FTP server\.\r\n| p/Kyocera IB-21E ftpd/ v/$1/ d/print server/ I have not quite figured out why. When I remove the OpenBSD spamd entry it fingerprints correctly.That's a tough one. I think spamd is an attempt to sandbag spammers but I can see how it could result in false positives especially if an FTP does something like write(sd, "220 ", 4) and the nagle algorithm isn't enabled (perhaps because it's a simplistic device like a print server). I'm open to suggestions on this one.
We could consider taking the spamd out of the NULL probe section, and on to the next tests. That way the real mailers have a chance to be identified by their full banner, and won't be cut out just because they printed "220 " before the rest of their banner. Here is an example of a spamd submission we received a couple years ago: Service: smtp Platform: OpenBSD 3.8 Description: OpenBSD3.8 spamd SF-Port25-TCP:V=3.50%D=2/1%Time=43E120B3%P=i386-unknown-openbsd3.5%r(NULL, SF:4,"220\x20")%r(Help,9,"220\x20AleaS")%r(GenericLines,4,"220\x20")%r(Get SF:Request,4,"220\x20")%r(HTTPOptions,4,"220\x20")%r(RTSPRequest,4,"220\x2 SF:0")%r(RPCCheck,4,"220\x20")%r(DNSVersionBindReq,4,"220\x20")%r(DNSStatu SF:sRequest,4,"220\x20")%r(SSLSessionReq,4,"220\x20")%r(SMBProgNeg,4,"220\ SF:x20")%r(X11Probe,4,"220\x20")%r(LPDString,4,"220\x20")%r(LDAPBindReq,4, SF:"220\x20")%r(LANDesk-RC,5,"220\x20A")%r(TerminalServer,4,"220\x20")%r(N SF:CP,4,"220\x20")%r(NotesRPC,4,"220\x20")%r(WMSRequest,4,"220\x20")%r(ora SF:cle-tns,4,"220\x20"); Looking at our current nmap-service-probes, the first real probe for a TCP service on port 25 will be the "Hello" (which didn't exist at the time of the fingerprint above). So my suggestion would be to move the OpenBSD spamd signature to the bottom of the HelLo probe SMTP signatures. Cheers, -F _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- service-probe question: FTP services Tom Sellers (Feb 03)
- Re: service-probe question: FTP services doug (Feb 03)
- Re: service-probe question: FTP services Fyodor (Feb 03)
- Re: service-probe question: FTP services doug (Feb 03)
- Re: service-probe question: FTP services Fyodor (Feb 03)
- Re: service-probe question: FTP services doug (Feb 03)