OpenVAS Change Request #40: find_service.c and NMAP service detection

Status: Voted +4. Done.

Purpose

To consider replacing "C" plugin find_service.c with a NASL equivalent, and to make use of the nmap's service detection capabilities.

References

Rationale

Currently, service detection is accomplished by "C" plugin find_service.c, and is supplemented with additional service detection plugins find_service1.nasl, find_service2.nasl and find_service_3digits.nasl

It is a general goal to avoid, and if possible, to replace existing "C" plugins as they cannot be updated except during updates of the actual daemon.

It is also a general objective to avoid duplication of effort where possible. nmap currently has, as of the 5.00 release, the ability to recognize 511 different services. This capability is currently completely unused in OpenVAS.

Effects

Two possible solutions exist.

1. Completely replace find_service.c with nmap/NASL based equivalents.
2. Freeze existing find_service.c development, and complement its capabilities with nasl based detection, along with a NASL wrapper for nmap service detection.

The downside of complete replacement of find_service.c is that it involves a non-trivial effort in order to replace and verify that the signatures currently detected by it would be correctly handled with a replacement mechanism such as nmap. Issues include naming difference in services (e.g. "irc-proxy (nmap), psybnc - find_service.c) and potentially incomplete signatures (nmap fails to identify this author's POP3 server, instead identifying it only because it resides on a standard port), while find_service.c correctly identifies it).

An approach of freezing find_service.c, and implementing nmap service detection in a separate wrapper would support the goal of leveraging nmap's service detection, and would support updates between releases via nasl. It would also minimize potentially misidentified well known services, as mentioned in the previous paragraph.

Design and Implementation

The implementation needs to establish the following changes:

• Create a new NASL wrapper for nmap service detection (perhaps called find_service_nmap.nasl). Specific pitfalls include avoid forking (eg calls to get_kb_item to avoid situations where hundreds/thousands of unknown services might exist), and update the knowledge base as services are identified in order to avoid losing all identifications done should the script be aborted early.
• Have the new script be dependent upon existing find_service* scripts such that it will only check services not yet identified by the time it runs. This will also minimize the chance of services being registered with different names than expected elsewhere.
• Change existing dependencies on find_service.nes to be dependent on find_service_nmap.nasl instead. Update:Not necessary. Only needs to be done for any scripts in the future that make use of services not already succesfully detected by legacy service detection scripts. (But won't be harmful if it is changed, either.)
• Promote reporting incomplete signature detection back to nmap (or to OpenVAS?) through appropriate security_notes() in the generated reports. Update:Deferred to avoid cluttering reports.
• ? Should OpenVAS distribute its own version of the signature file with the feed? Update: Also deferred. May be added by adding "--datadir " to the nmap parameter list once it is known we will distribute and maintain an up to date nmap signature list.

History

• 2009-11-18 Thomas Reinke <reinke@securityspace.com>:
  Marked completed. Updated design/implementation notes.
• 2009-09-09 Michael Wiegand <michael.wiegand@intevation.de>:
  Updated status with voting results.
• 2009-08-07 Thomas Reinke <reinke@securityspace.com>:
  Initial text.