Nmap Development mailing list archives
Re: Coherence of Version Detection
From: David Fifield <david () bamsoftware com>
Date: Mon, 3 May 2010 09:45:20 -0600
On Fri, Apr 30, 2010 at 09:43:42AM +0200, Marc Ruef wrote:
We did a large-scale scan recently (houndreds of internal hosts). To moderate and report the results, we use a self-written parsing-script to import all xml data into a database (it is more an expert system). [1] During the moderation process we identified that version detection of nmap is determining IIS web servers differently. The identifier strings are (nmap 5.21 used): * Microsoft IIS httpd * Microsoft IIS httpd 6.0 * Microsoft IIS httpd 7.5 * Microsoft IIS webserver 6.0 * Microsoft IIS webserver 7.5 It looks like the same version is reported with different names: Once as "httpd x.y" and once as "webserver x.y". I was crawling through nmap-service-probes to identify the affected entries. Is there a reason why there is a different naming? Of not, wouldn't it be a good idea to normalize the naming convention as far as possible?
There's no reason for the different naming. It's just a big database and sometimes older entries don't match the style of newer entries. We fix these if we become aware of them. I've gone through and modified all the "webserver" entries, in most cases updating them to "httpd". The latest copy of the file is at http://nmap.org/svn/nmap-service-probes. It is likely to change more in the coming week because I am still in the middle of a round of integrating the latest submitted signatures. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Coherence of Version Detection Marc Ruef (May 01)
- Re: Coherence of Version Detection Michael Pattrick (May 01)
- Re: Coherence of Version Detection David Fifield (May 03)