Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sonar / CPE updates #279

Merged
merged 9 commits into from
Jul 23, 2020
Merged

Sonar / CPE updates #279

merged 9 commits into from
Jul 23, 2020

Conversation

tsellers-r7
Copy link
Contributor

@tsellers-r7 tsellers-r7 commented Jul 22, 2020
edited
Loading

Description

This PR:

  1. Adds coverage for a few new services
  2. Adds/adjusts service.vendor and/or service.product where necessary to enable CPE auto-generation using NIST issued CPE values. This significantly improves the number of services on the Internet that we will have CPEs for. For example, from recent Project Sonar FTP studies the following fingerprints did not have CPEs:
Count       Fingerprint description text
2,945,424   "Pure-FTPd versions >= 1.0.14 - Config data can be zero or more of: [privsep] [TLS]"
  625,091   "vsFTPd (Very Secure FTP Daemon)"
   20,529   "Serv-U Serv-U with version on Windows"
    6,224   "vsFTPd (Very Secure FTP Daemon) error message"
    5,104   "Basic Pure-FTPd banner, no version"
      764   "vsFTPd (Very Secure FTP Daemon) extended build (vsftpd.devnet.ru)"
      103   "vsFTPd (Very Secure FTP Daemon) - break me variant"

For 53/udp DNS data, metrics on fingerprinted services that did not have CPE values:

Count     Fingerprint description text
986,657  "NLnet Labs Name Server Daemon"
 16,201  "NLnet Labs Unbound"
  2,016  "Knot DNS"
    990  "NLnet Labs Unbound no version string"

For 25/tcp SMTP data, metrics on fingerprinted services that did not have CPE values:

Count      Fingerprint description text
  933,600  "Postfix - generic banner"
  315,820  "Postfix - Ubuntu"
  267,531  "Postfix - Debian"
  138,611  "Sendmail - optional timezone and timestamp, w/o OS"
  110,246  "Sendmail - short banner w/o hostname, version, platform, or date."
   13,737  "Postfix - banner without hostname or version"
   11,733  "Postfix - generic banner with amusing comments in parentheses"
    7,888  "Sendmail - with date, w/o version or platform, optional status string."
    7,590  "Postfix - Ubuntu, Mail-in-a-Box package"
    6,816  "Sendmail - Debian 7.x (wheezy)"
    4,766  "Sendmail - with timezone and timestamp, w/o timezone offset or OS"
    3,178  "Postfix - Std semantic versioning, w/ optional parens"
    3,167  "IBM Domino SMTP MTA"
    3,145  "Communigate Pro"
    2,703  "Sendmail - Debian patch only"

For 110/tcp POP3 data, metrics on fingerprinted services that did not have CPE values:

Count      Fingerprint description text
3,092,531  "Dovecot Secure POP Server"

For 143/tcp IMAP data, metrics on fingerprinted services that did not have CPE values:

Count      Fingerprint description text
3,104,118 "Dovecot Secure IMAP Server"
  308,033 "Courier MTA IMAP"
   14,883 "CMU Cyrus IMAP"
      143 "CMU Cyrus IMAP on Mac OS X"

Motivation and Context

Improved coverage

How Has This Been Tested?

rspec, local testing.

Types of changes

Content update

Checklist:

  • I have updated the documentation accordingly (or changes are not required).
  • I have added tests to cover my changes (or new tests are not required).
  • All new and existing tests passed.

tsellers-r7
tsellers-r7 commented Jul 22, 2020
View reviewed changes
xml/ftp_banners.xml
@@ -463,6 +505,7 @@ more text</example>
<example service.version="0.9.13a beta">FileZilla Server version 0.9.13a beta</example>
<example service.version="0.9.54 beta">FileZilla Server 0.9.54 beta</example>
<example service.version="0.9.33 beta">FileZilla Server v0.9.33 beta</example>
<param pos="0" name="service.vendor" value="Filezilla-Project"/>
Copy link
Contributor Author

@tsellers-r7 tsellers-r7 Jul 22, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is no NIST issued CPE value for the Filezilla FTP server. This change just aligns with vendor value with the vendor in the existing NIST CPEs for the client.

Update: I have reached out to NIST about assigning a CPE. I was able to find 6 related CVEs.

@tsellers-r7 tsellers-r7 requested review from gwiseman-r7, rkirk-r7, bcook-r7 and a user July 22, 2020 14:35
tsellers-r7
tsellers-r7 commented Jul 22, 2020
View reviewed changes
xml/dns_versionbind.xml
@@ -516,6 +516,7 @@
<param pos="0" name="service.family" value="NSD"/>
<param pos="0" name="service.product" value="dnsd"/>
<param pos="1" name="service.version"/>
<param pos="0" name="service.cpe23" value="cpe:/a:nlnetlabs:name_server_daemon:{service.version}"/>
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change alone, via the cpe-remap change, added CPEs for over a million matches from our recent DNS study and so I wanted to get it in now.

@tsellers-r7 tsellers-r7 merged commit 7e98af5 into rapid7:master Jul 23, 2020
@tsellers-r7 tsellers-r7 deleted the sonar_updates branch January 20, 2021 23:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rkirk-r7 rkirk-r7 rkirk-r7 approved these changes

@gwiseman-r7 gwiseman-r7 Awaiting requested review from gwiseman-r7

@bcook-r7 bcook-r7 Awaiting requested review from bcook-r7

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tsellers-r7 @rkirk-r7