English | Deutsch
Home »

OpenVAS Change Request #43: NMAP based service detection

Status: In Progress.

Purpose

  1. To consider replacing "C" plugin find_service.c with a NASL equivalent, and to make use of the NMAP's service detection capabilities. This is an extension to CR #40.
  2. Extend NVT feed to distribute NMAP's service db files

References

OpenVAS Change Request #40: find_service.c and NMAP service detection

Rationale

Currently, service detection is accomplished by "C" plugin find_service.c, and is supplemented with additional service detection plugins find_service1.nasl, find_service2.nasl and find_service_3digits.nasl. It is a general goal to avoid, and if possible, to replace existing "C" plugins as they cannot be updated except during updates of the actual daemon.

Once the C based plugin is replaced with NMAP based service detection, the service db file of NMAP, as and when there's an update, should also be provided with OpenVAS NVT feed. This will ensure that service detection is seamlessly addressed, without user intervention.

Effects

The idea is to completely replace find_service.c with nmap/NASL based equivalents. There may be certain services where find_service.c fares better compared to NMAP. A thorough review exercise has to be carried out and a fall back mechanim may be needed for some time till NMAP addresses any such issues identified during review.

Completely relying on NMAP for service detection induces permanent dependency on an external tool. And NVT feed will contain an additional service db file from NMAP, which may be seen as an external component.

Design and Implementation

  1. Replacement of find_service.c:

    Review service detection logic for each service in find_service.c and find an equivalent in NMAP.

        - if an equivalent is present, the one in the find_service.c can be
          removed. Also, any place where the corresponding Service KB is being
          used, the new kb from NMAP should be used.
        - if the find_service.c has a detection that is not present in NMAP,
          consider updating the NMAP db if possible or open a discussion on the
          NMAP mailing list.
        - Till the time there's an equivalent solution available through NMAP,
          retain find_service.c for those specific modules.
    

  2. Update find_service_nmap.nasl

    Updated the above module to launch service detection for all services by default and not just unknown services. This will become the de facto service detection module for OpenVAS apart from few other NASL's that already exist like find_service1.nasl, find_service2.nasl and find_service_3digits.nasl. These modules will be retained based on their ability to do better than NMAP.

  3. Service db distribution

    nmap-services and nmap-service-probes files will be distributed as part of OpenVAS NVT feed and find_service_nmap.nasl will be updated with --datadir options to point to these distrbutions. This will give option to add/delete service probes and also sign the db's.

History