Nmap Development mailing list archives
Re: NIST CPE
From: David Fifield <david () bamsoftware com>
Date: Thu, 31 Mar 2011 23:04:08 -0700
On Wed, Mar 30, 2011 at 02:36:50PM +0200, Henri Doreau wrote:
I am currently working to improve host and service detection within OpenVAS. CPEs are a key point in this task and one of my aims is to add CPE support for Nmap (upon which OpenVAS relies heavily). 2011/3/27 David Fifield <david () bamsoftware com>:On Thu, Mar 24, 2011 at 04:42:26AM +0530, ambarisha b wrote:2. The script doesn't try to use the Fingerprint line from each fingerprint.I can see that we don't strictly follow a format, nevertheless , there is a specific format we "try" to stick to while writing the Fingerprint line.May be we can try to match the Fingerprint line with the human-readable tag in the dictionary(I don't mean a "cold" complete line match here).This ,ofcourse, would introduce some amount of doubt about the accuracy.This is a good idea and it would be great to see an implementation of it. The matching doesn't have to be perfect, only good enough to save a human lots of work. It's fine if a few names still need to be handled manually. Instead of matching dictionary descriptions, I would just build another map or common patterns that we use (like "SP2") to CPE components. This makes it a little more complicated because one Fingerprint line can correspond to multiple CPE names. For example, "Microsoft Windows XP SP2 - SP3" would become cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_xp::sp3 This is even worse with names like "Linux 2.6.9 - 2.6.14".This is the way I am following. It's too early for me to release any result or conclusion but I wrote a proof of concept library that performs CPE lookups in the official dictionary. It relies on several parameters to do fuzzy matching between CPE titles and a free form description. The most important one is the "Levenstein distance" but I have also added other empirically determined tests (like weighting a match on the OS/application name more than the version numbers for instance).
Henri, I'm sure you know more about how CPE is actually used than most of us. In your opinion, would a partial result like cpe:/o:microsoft:windows_xp be useful to people (better than nothing), or are they going to want more precise information like cpe:/o:microsoft:windows_xp::sp3. It seems like offering even a little bit of information is useful, but if someone has the CPE hooked up to a vulnerability database or something, they may not want to see spurious alerts about Windows XP when the OS is actually Windows XP SP3 and already has the vulnerability fixed. I'm trying to get information on whether it would be better to at first implement very easy, but incomplete, CPE (like the cpeify-os.py script); or if the output needs to be mostly complete to begin with. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- NIST CPE ambarisha b (Mar 23)
- Re: NIST CPE David Fifield (Mar 27)
- Re: NIST CPE Henri Doreau (Mar 30)
- Re: NIST CPE David Fifield (Mar 31)
- Re: NIST CPE Jan-Oliver Wagner (Mar 31)
- Re: NIST CPE Henri Doreau (Mar 30)
- Re: NIST CPE David Fifield (Mar 27)