to the XDMCP specification at
http://cgit.freedesktop.org/xorg/doc/xorg-docs/plain/hardcopy/XDMCP/xdmcp.PS.gz,
it's just a junk trailer following the zero-length array of
authentication names, and that "no padding of any sort will occur within
the packets." It still correctly identifies an xdm running locally in my
testing.
The specification also says "Packets that have too little or too much
data should be ignored," but that must not be taken seiously because the
X server that comes with Mac OS X sends several junk null bytes at the
end of its XDMCP queries.
support various 3.X releases. Also added a match for Radmin when the
source IP is ACL'd. Thanks to Tom Sellers for the hard work and
providing a patch!
matching strategies. It is really great that we have so few match
lines that really need any performance attention. As long as a match
has an anchor (though ^ seems better than $ with PRCE) it should be
fast enough. We also want to avoid things like
"m|^whatever.*something.*" but we got rid of all of those in a
previous review.
The only "bad" match we have now is:
match ser2net m|\r\nser2net port \d+ device (/dev/[-\w_]+) ...snip...
I think this match should be commented out so that we can get a better
submission. With a big release coming up so soon though I don't want
to remove any useful features. I've left a comment about it's
performance and maybe myself, Doug, or somebody else will think about
the match more at a later date.
different bytes in a few X11 fields. I've made the match more
generic. I have a feeling that the X11 fields might contain useful
information that we could include in i// but I don't know enough about
X11 to do that myself.
by collapsing them to a single .* and making sure that the DOTALL
(PCRE s modifier) is set on the match. This should dramatically cut
down on cases where MATCHLIMIT is returned. See
http://seclists.org/nmap-dev/2009/q2/0086.html for a discussion. I
chose to only use .* in this patch even though .*? will be faster in
some cases. I felt the speed benefit of .*? did not outweigh the
relative obscurity of lazy quantifiers. I have some ideas on how
audit matches for performance and some ideas on optimizations that can
be done. .*? and friends will have wait.
nmap-service-probes. This replaces an incomplete set of specific match
lines, though a few of those have been retained where they might give
information on the OS or SSL implementation. There is also a new probe
that works against SSLv2-only servers. The patch is from Kristof
Boeynaems.
> Looking at our current nmap-service-probes, the first real probe for a
> TCP service on port 25 will be the "Hello" (which didn't exist at the
> time of the fingerprint above). So my suggestion would be to move the
> OpenBSD spamd signature to the bottom of the HelLo probe SMTP
> signatures.
