CPE Updates #267
CPE Updates #267
Conversation
|
FYI @hdm I've changed quite a bit here... |
| <param pos="0" name="service.family" value="Pi-hole"/> | ||
| <param pos="0" name="service.product" value="Pi-hole"/> | ||
| <param pos="1" name="service.version"/> | ||
| <param pos="0" name="service.cpe23" value="cpe:/a:pi-hole:pi-hole:{service.version}"/> |
There was a problem hiding this comment.
FYI @brudis-r7 - This fingerprint has changed quite a bit.
| <param pos="0" name="service.family" value="NetScaler"/> | ||
| <param pos="0" name="service.device" value="Network Management Device"/> | ||
| <param pos="0" name="service.product" value="NetScaler"/> | ||
| <param pos="0" name="service.cpe23" value="cpe:/a:citrix:netscaler:-"/> | ||
| </fingerprint> |
There was a problem hiding this comment.
FYI @brudis-r7 - This fingerprint has changed quite a bit.
There was a problem hiding this comment.
This should probably assert os/hw like the rest of them
| <param pos="0" name="service.device" value="Network Management Device"/> | ||
| <param pos="0" name="service.product" value="NetScaler"/> | ||
| <param pos="1" name="service.version"/> | ||
| <param pos="0" name="service.cpe23" value="cpe:/a:citrix:netscaler:{service.version}"/> |
There was a problem hiding this comment.
FYI @brudis-r7 - This fingerprint has changed quite a bit.
There was a problem hiding this comment.
OS fields need to be re-added. Add service too, but we can't remove OS without breaking things.
xml/ntp_banners.xml
Outdated
| <param pos="2" name="os.arch"/> | ||
| <param pos="3" name="os.version"/> | ||
| <param pos="0" name="os.cpe23" value="cpe:/o:freebsd:freebsd:{os.version}"/> |
There was a problem hiding this comment.
FYI @brudis-r7 - This fingerprint has changed quite a bit.
|
@hdm I can fix that. It does pass tests, etc. |
| <param pos="0" name="os.family" value="NetScaler"/> | ||
| <param pos="0" name="os.device" value="Network Management Device"/> | ||
| <param pos="0" name="os.product" value="NetScaler"/> | ||
| <param pos="0" name="service.vendor" value="Citrix"/> |
There was a problem hiding this comment.
This removes the OS assert, it should not. This should probably assert HW too.
There was a problem hiding this comment.
I can assert that as FreeBSD
There was a problem hiding this comment.
It should be asserted as what it was before, not FreeBSD (its a custom OS)
There was a problem hiding this comment.
This one in particular is a big deal, as we use the os and hw fields to set the device type and hardware type. Folks trying to find their possibly-exploitable NetScalers need this fingerprint to remain how it was (from our perspective).
There was a problem hiding this comment.
Yup, I can definitely sort this out. I'll try to review everywhere Netscaler exists and try to make it consistent.
There was a problem hiding this comment.
@hdm - I'm going to sort this out this morning. RE: hardware assertions - there are virtual Netscalers. I'm not sure if we have an established policy on how to handle hw.* vs virtual machines. I'm leaning towards going ahead an using it here. Any thoughts?
| </fingerprint> | ||
|
|
There was a problem hiding this comment.
Line breaks between fingerprints makes them much more readable, I guess you disagree?
There was a problem hiding this comment.
The automation removes it.
There was a problem hiding this comment.
OK, we can address in a future PR to auto-newline after each fingerprint, and update the automation to match, if yall agree.
There was a problem hiding this comment.
I've no issues with adding line breaks.
| <param pos="2" name="os.version"/> | ||
| <param pos="0" name="os.product" value="NetScaler"/> | ||
| <param pos="1" name="os.version"/> | ||
| <param pos="2" name="os.version.version"/> |
There was a problem hiding this comment.
@hdm @gwiseman-r7 - FYI, I've changed this fingerprint so as to return os.version that is consistent with other Netscaler fingerprints that return that same value. In doing so, I've made the fingerprint more specific by adding NS in ^NetScaler NS. In my surveys I don't see a banner without that NS.
The build number being captured in os.version.version should match what is found here: https://support.citrix.com/article/CTX121840#NS13
Any objections?
|
This all looks good here, thanks! |
Description
This PR:
Updates the CPE data per the instructions found here: https://github.com/rapid7/recog/blob/master/CONTRIBUTING.md#updating-cpes
Manually adjusts the
descriptionof a Ubuntu and Debian MySQL banners to be a bit more consistent.Motivation and Context
Improved CPE output.
How Has This Been Tested?
rspecrake testsTypes of changes
Checklist: