matching the sendmail version

From: Steven Procter (stevenat_private)
Date: Mon Mar 03 2003 - 15:16:10 PST

Next message: Erik Parker: "Re: patch to explain sendmail_ nasl"

Previous message: Michael Scheidell: "patch to explain sendmail_ nasl"
Next in thread: Erik Parker: "Re: matching the sendmail version"
Reply: Erik Parker: "Re: matching the sendmail version"
Reply: H D Moore: "Re: matching the sendmail version"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

How about the following.  It breaks the RE into 2 pieces so it is
easier to read.  This seems like a reasonable thing to do since the
sendmail and sendmail switch versions appear to be unrelated.  And it
only allows white space between "Sendmail" and the version, so that
things that look like sendmail version information in other parts of
the banner don't generate false positives.

--Steven

if(banner)
{
  re_sendmail = "Sendmail[ \t]*(\/|UCB | )([5-7]\.|8\.([0-9](\.|;|$)|1[01]\.|12\.[0-7](\/| |\.|\+)))";
  re_switch = "Sendmail[ \t]*Switch\-((1\.)|(2\.(0\.|1\.[0-4])))";


# if(ereg(pattern:".*sendmail.*8\.((11\.[0-5])|12.*beta([0-9][^0-9]|1[0-8]))/.*", string:banner, icase:TRUE))

  if(ereg(pattern:re_sendmail, string:banner, icase:TRUE))
 	security_hole(port);

  if(ereg(pattern:re_switch, string:banner, icase:TRUE))
 	security_hole(port);
}

Next message: Erik Parker: "Re: patch to explain sendmail_ nasl"
Previous message: Michael Scheidell: "patch to explain sendmail_ nasl"
Next in thread: Erik Parker: "Re: matching the sendmail version"
Reply: Erik Parker: "Re: matching the sendmail version"
Reply: H D Moore: "Re: matching the sendmail version"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Mar 03 2003 - 15:13:05 PST