From: Josh Richard (jrichar4@d.umn.edu)
Date: Fri Aug 22 2003 - 12:56:47 CDT
I think you are incorrect on your user agent for Mozilla browsers.
The pattern match matches a long string that contains the os.
I pattern match on =~ /Windows/
non /Windows/ boxes are not scanned (an not logged <-- this can be done
easily).
Here are some log entries...
<ip> -- Mozilla/4.79 [en] (Windows NT 5.0; U) -- Not Vulnerable -- Fri Aug 22 12:28:57 CDT 2003
<ip> -- Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322) -- Not Vulnerable -- Fri Aug 22 12:29:39 CDT 2003
<ip> -- Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.2) Gecko/20030208 Netscape/7.02 -- TIMEOUT pid: 31728 -- Fri Aug 22 12:30:06 CDT 2003
Browsers used in the above test sequence are:
Netscape 4.79
IE 6
Netscape 7
Where <ip> is the ip of the connecting host (same box in each test).
Notice the last entry, it states TIMEOUT. I activated tiny personal
firewall on the connecting host before the test. The code reacts after
3 seconds of non response from the host by redirecting them to either
register or a page indicating that we could not detect they are patched,
and kills the pid. This may need to change from alarm(3) to something
else if things get busy and the box slows down (maybe alarm(5) not sure
now). The alarm handler was added instead of using system("...")
because newdcom_scanz took 3 minutes to timeout on the particular box
and therefore the redirection took about 3 minutes.
Here are log entries of skipped hosts:
<ip> -- Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.0.1) Gecko/20020920 Netscape/7.0 -- Not Vulnerable, not scanned -- Fri Aug 22 12:42:39 CDT 2003
<ip> -- check_http/1.24 (nagios-plugins 1.3.0) -- Not Vulnerable, not scanned -- Fri Aug 22 12:45:42 CDT 2003
<ip> -- Mozilla/4.0 (compatible; MSIE 5.21; Mac_PowerPC) -- Not Vulnerable, not scanned -- Fri Aug 22 12:45:47 CDT 2003
Browsers used in the above test sequence are:
Netscape 7 (sun os 8)
nagios check_http plugin (we monitor the webserver with nagios, this is also why I do not log non scanned hosts, nagios checks a lot ;))
IE on MAC OSX
I hope this clears things up.
Josh
King, Michael wrote:
>have you tried this on Mozilla based browsers? I believe they return the
>user agent as "WinNT" as opposed to "Windows NT 5.0" and "Windows NT 5.1"
>
>I'm currently working on a batch file that will install SP4, and then the
>RPC patch. On the machine's i've tested with, if you install SP4, without
>rebooting, the RPC patch will still take. The RPC patch requires you to be
>at SP2 or above.
>
>When I get it a little more polished, i can provide it here. (It's real
>short, I'm sure most people could bang it together)
>
>Mike
>
**********************************************************************
To unsubscribe from this list, send an e-mail message to
majordomo@southwestern.edu containing a single line with the words:
unsubscribe netreg
Send requests for assistance to: owner-netreg@southwestern.edu
**********************************************************************
This archive was generated by hypermail 2.1.4 : Thu Aug 12 2004 - 12:01:40 CDT