Nmap Development mailing list archives
Re: NIST CPE
From: Henri Doreau <henri.doreau () greenbone net>
Date: Wed, 30 Mar 2011 14:36:50 +0200
Hello, I am currently working to improve host and service detection within OpenVAS. CPEs are a key point in this task and one of my aims is to add CPE support for Nmap (upon which OpenVAS relies heavily). 2011/3/27 David Fifield <david () bamsoftware com>:
On Thu, Mar 24, 2011 at 04:42:26AM +0530, ambarisha b wrote:2. The script doesn't try to use the Fingerprint line from each fingerprint.I can see that we don't strictly follow a format, nevertheless , there is a specific format we "try" to stick to while writing the Fingerprint line.May be we can try to match the Fingerprint line with the human-readable tag in the dictionary(I don't mean a "cold" complete line match here).This ,ofcourse, would introduce some amount of doubt about the accuracy.This is a good idea and it would be great to see an implementation of it. The matching doesn't have to be perfect, only good enough to save a human lots of work. It's fine if a few names still need to be handled manually. Instead of matching dictionary descriptions, I would just build another map or common patterns that we use (like "SP2") to CPE components. This makes it a little more complicated because one Fingerprint line can correspond to multiple CPE names. For example, "Microsoft Windows XP SP2 - SP3" would become cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_xp::sp3 This is even worse with names like "Linux 2.6.9 - 2.6.14".
This is the way I am following. It's too early for me to release any result or conclusion but I wrote a proof of concept library that performs CPE lookups in the official dictionary. It relies on several parameters to do fuzzy matching between CPE titles and a free form description. The most important one is the "Levenstein distance" but I have also added other empirically determined tests (like weighting a match on the OS/application name more than the version numbers for instance). This gives good and constantly improving results, but not enough to consider updating the database from it yet. I think that an efficient tool will need to combine several methods to produce reliable results with a minimal human reviewing effort. Regards. -- Henri Doreau | Greenbone Networks GmbH | http://www.greenbone.net Neuer Graben 17, 49074 Osnabrueck, Germany | AG Osnabrueck, HR B 202460 Executive Directors: Lukas Grunwald, Dr. Jan-Oliver Wagner _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- NIST CPE ambarisha b (Mar 23)
- Re: NIST CPE David Fifield (Mar 27)
- Re: NIST CPE Henri Doreau (Mar 30)
- Re: NIST CPE David Fifield (Mar 31)
- Re: NIST CPE Jan-Oliver Wagner (Mar 31)
- Re: NIST CPE Henri Doreau (Mar 30)
- Re: NIST CPE David Fifield (Mar 27)