Re: NIST CPE

[Henri Doreau <henri.doreau () greenbone net>]

Hello,

I am currently working to improve host and service detection within
OpenVAS. CPEs are a key point in this task and one of my aims is to
add CPE support for Nmap (upon which OpenVAS relies heavily).

2011/3/27 David Fifield <david () bamsoftware com>:
> On Thu, Mar 24, 2011 at 04:42:26AM +0530, ambarisha b wrote:
> > 2. The script doesn't try to use the Fingerprint line from each
> > fingerprint.I can see that we don't strictly follow a format,
> > nevertheless , there is a specific format we "try" to stick to while
> > writing the Fingerprint line.May be we can try to match the
> > Fingerprint line with the human-readable tag in the dictionary(I don't
> > mean a "cold" complete line match here).This ,ofcourse, would
> > introduce some amount of doubt about the accuracy.
>
> This is a good idea and it would be great to see an implementation of
> it. The matching doesn't have to be perfect, only good enough to save a
> human lots of work. It's fine if a few names still need to be handled
> manually. Instead of matching dictionary descriptions, I would just
> build another map or common patterns that we use (like "SP2") to CPE
> components. This makes it a little more complicated because one
> Fingerprint line can correspond to multiple CPE names. For example,
> "Microsoft Windows XP SP2 - SP3" would become
>        cpe:/o:microsoft:windows_xp::sp2
>        cpe:/o:microsoft:windows_xp::sp3
> This is even worse with names like "Linux 2.6.9 - 2.6.14".
This is the way I am following. It's too early for me to release any
result or conclusion but I wrote a proof of concept library that
performs CPE lookups in the official dictionary. It relies on several
parameters to do fuzzy matching between CPE titles and a free form
description. The most important one is the "Levenstein distance" but I
have also added other empirically determined tests (like weighting a
match on the OS/application name more than the version numbers for
instance).

This gives good and constantly improving results, but not enough to
consider updating the database from it yet. I think that an efficient
tool will need to combine several methods to produce reliable results
with a minimal human reviewing effort.

Regards.

-- 
Henri Doreau |  Greenbone Networks GmbH  |  http://www.greenbone.net
Neuer Graben 17, 49074 Osnabrueck, Germany | AG Osnabrueck, HR B 202460
Executive Directors: Lukas Grunwald, Dr. Jan-Oliver Wagner
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/