Nmap Development mailing list archives
Re: [NSE] hadoop-* / hbase-* - false positives
From: John Bond <john.r.bond () gmail com>
Date: Tue, 5 Mar 2013 11:06:14 +0100
On 5 March 2013 06:55, David Fifield <david () bamsoftware com> wrote:
On Sat, Mar 02, 2013 at 06:41:31PM +0100, John Bond wrote:Thanks for the feedback, i need to look at these scritps again becausetheyare broken with the latest releases of hadoop/hbase.Can you elaborate more on this? Should we disable these scripts until they work again?
The scripts work by scraping html pages, the most recent update changed some of the formatting so some of the find patterns dont match. i think they are fine to leave enabled as they still find some information and if they don't match there is no harm done. Also they are still good for the old versions. Once i have a public hadoop instance ill start fixing these things
In the case of these scripts the issue is somewhat more problematic as they overwrite any fingerprint that has already been applied to the port.I have to admit im not sure what the etiquette is here. if my script is confident that of what service is running on a port then it should overwrite the description (in this case i admit my script is being a bit arrogant). Im not sure what should happen if 2 scripts claim confidence about the same port port. At the moment im not sure how to handle this, sorry if i have missed something. It would be nice to have a system where you could register how confident you where that the service was yours. i.e. my script runs and says it is 70% confident, your script runs says it is 95% confident. standard view shows highest match, if there are two scripts that claim the same score they are both displayed. extra -v switches shows the other candidatesDon't make it complicated. The best solution is to fix the false positivies and just set the version unconditionally.
This was more food for thought, i.e. what is the best way to solve this in the long run
These scripts should probably be reworked to positively match content that is known to always been on pages. Alternately, the versiondetectionlogic should be moved further down in the logic after a more solidmatch ismade. For example, in hbase-master-info.nse, on lines 70 and 71 theportname and version are overwritten. This should probably be moved downintobody:match sections below. agreed should be an easy fix, wil send a patch in tomorrow so it stopsannoying you. i will also try to work onupdating the script for newer versions of hadoop/hbase/flumeDo you have a patch ready?
Attached is a quick patch which should make these scripts less confident John
Attachment:
nmap.patch
Description:
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] hadoop-* / hbase-* - false positives Tom Sellers (Mar 02)
- Re: [NSE] hadoop-* / hbase-* - false positives Tom Sellers (Mar 02)
- Re: [NSE] hadoop-* / hbase-* - false positives John Bond (Mar 02)
- Re: [NSE] hadoop-* / hbase-* - false positives David Fifield (Mar 04)
- Re: [NSE] hadoop-* / hbase-* - false positives John Bond (Mar 05)
- Re: [NSE] hadoop-* / hbase-* - false positives David Fifield (Mar 05)
- Re: [NSE] hadoop-* / hbase-* - false positives Tom Sellers (Mar 05)
- Re: [NSE] hadoop-* / hbase-* - false positives David Fifield (Mar 04)