Nmap Development mailing list archives
NIST CPE
From: ambarisha b <b.ambarisha () gmail com>
Date: Thu, 24 Mar 2011 04:42:26 +0530
Hi, I have been studying the NIST CPE specification and David's reports from http://seclists.org/nmap-dev/2010/q3/278 - OS fingerprints http://seclists.org/nmap-dev/2010/q3/303 - version service probes When I first read the specification,it seemed like the standard isn't yet ready for adoption by the nmap database.But rethinking it , I guess these are the pains you take to adopt a common standard. I have studied the mockup script that David's report included.A few things came to my mind: 1. The script doesn't use the cpe dictionary completely ( I guess the vendor and vendor-family maps must have been obtained by referring the dictionary and manually putting it in).Shouldn't we be cross-checking a component name with the dictionary,because I think that the specification relies heavily on the dictionary and in many situations doesn't define clear-cut rules to express a cpe name. 2. The script doesn't try to use the Fingerprint line from each fingerprint.I can see that we don't strictly follow a format, nevertheless , there is a specific format we "try" to stick to while writing the Fingerprint line.May be we can try to match the Fingerprint line with the human-readable tag in the dictionary(I don't mean a "cold" complete line match here).This ,ofcourse, would introduce some amount of doubt about the accuracy. 3. The major concern is with the embedded device type and there is quite a big number of them.Mostly we're storing the details regarding the device in the Fingerprint line.So any progress on processing the Fingerprint line will yield good results here also. 4. We also need to have need to maintain consistency with the CPE dictionary while adding new fingerprints.This,I think, can easily be automated.Still,what if the cpe doesn't have a name registered yet?We add the fingerprint to database without the cpe name.And we will also have to revise the database periodically to see if any of the names for the fingerprints without cpe name have been registered. With service probes there are many other concerns.The disparity between the dictionary and nmap's database is going to be a problem.We need to get all the new names into the cpe dictionary.There are component names where the protocol specifies no clear rules but that name should be obtained by contacting the company or the organisation.These issues should also be resolved.What do you guys say ? Regards Ambarisha _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- NIST CPE ambarisha b (Mar 23)
- Re: NIST CPE David Fifield (Mar 27)
- Re: NIST CPE Henri Doreau (Mar 30)
- Re: NIST CPE David Fifield (Mar 31)
- Re: NIST CPE Jan-Oliver Wagner (Mar 31)
- Re: NIST CPE Henri Doreau (Mar 30)
- Re: NIST CPE David Fifield (Mar 27)