support various 3.X releases. Also added a match for Radmin when the
source IP is ACL'd. Thanks to Tom Sellers for the hard work and
providing a patch!
matching strategies. It is really great that we have so few match
lines that really need any performance attention. As long as a match
has an anchor (though ^ seems better than $ with PRCE) it should be
fast enough. We also want to avoid things like
"m|^whatever.*something.*" but we got rid of all of those in a
previous review.
The only "bad" match we have now is:
match ser2net m|\r\nser2net port \d+ device (/dev/[-\w_]+) ...snip...
I think this match should be commented out so that we can get a better
submission. With a big release coming up so soon though I don't want
to remove any useful features. I've left a comment about it's
performance and maybe myself, Doug, or somebody else will think about
the match more at a later date.
different bytes in a few X11 fields. I've made the match more
generic. I have a feeling that the X11 fields might contain useful
information that we could include in i// but I don't know enough about
X11 to do that myself.
by collapsing them to a single .* and making sure that the DOTALL
(PCRE s modifier) is set on the match. This should dramatically cut
down on cases where MATCHLIMIT is returned. See
http://seclists.org/nmap-dev/2009/q2/0086.html for a discussion. I
chose to only use .* in this patch even though .*? will be faster in
some cases. I felt the speed benefit of .*? did not outweigh the
relative obscurity of lazy quantifiers. I have some ideas on how
audit matches for performance and some ideas on optimizations that can
be done. .*? and friends will have wait.
nmap-service-probes. This replaces an incomplete set of specific match
lines, though a few of those have been retained where they might give
information on the OS or SSL implementation. There is also a new probe
that works against SSLv2-only servers. The patch is from Kristof
Boeynaems.
> Looking at our current nmap-service-probes, the first real probe for a
> TCP service on port 25 will be the "Hello" (which didn't exist at the
> time of the fingerprint above). So my suggestion would be to move the
> OpenBSD spamd signature to the bottom of the HelLo probe SMTP
> signatures.
