English | Deutsch
Home »

OpenVAS Change Request #40: find_service.c and NMAP service detection

Status: Voted +4. Done.


To consider replacing "C" plugin find_service.c with a NASL equivalent, and to make use of the nmap's service detection capabilities.



Currently, service detection is accomplished by "C" plugin find_service.c, and is supplemented with additional service detection plugins find_service1.nasl, find_service2.nasl and find_service_3digits.nasl

It is a general goal to avoid, and if possible, to replace existing "C" plugins as they cannot be updated except during updates of the actual daemon.

It is also a general objective to avoid duplication of effort where possible. nmap currently has, as of the 5.00 release, the ability to recognize 511 different services. This capability is currently completely unused in OpenVAS.


Two possible solutions exist.

  1. Completely replace find_service.c with nmap/NASL based equivalents.
  2. Freeze existing find_service.c development, and complement its capabilities with nasl based detection, along with a NASL wrapper for nmap service detection.

The downside of complete replacement of find_service.c is that it involves a non-trivial effort in order to replace and verify that the signatures currently detected by it would be correctly handled with a replacement mechanism such as nmap. Issues include naming difference in services (e.g. "irc-proxy (nmap), psybnc - find_service.c) and potentially incomplete signatures (nmap fails to identify this author's POP3 server, instead identifying it only because it resides on a standard port), while find_service.c correctly identifies it).

An approach of freezing find_service.c, and implementing nmap service detection in a separate wrapper would support the goal of leveraging nmap's service detection, and would support updates between releases via nasl. It would also minimize potentially misidentified well known services, as mentioned in the previous paragraph.

Design and Implementation

The implementation needs to establish the following changes: