Re: [Yokoso-devel] Updated fingerprints

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Aug 17, 2009, at 6:58 PM, Ron wrote:
> Hi all,
>
> Today, me and one of our co-op students (Andrew, who I believe  
> joined this list today) made significant improvements to the  
> fingerprints file. I've attached the new version as a raw file, but  
> let me know if a diff would be easier for you to work with.

A diff is always easier, but this works for now.  We really appreciate  
all the work you are doing!

> We did the Pre-Auth/Post-Auth of a bunch of our security tools, then  
> started scanning our network on Port 80. We found hundreds of  
> printers, plus some server utilities, network cameras, network  
> drives, network cdrom drives (weird!), and other miscellaneous  
> stuff. We barely scratched the surface, though, we should be adding  
> more in the near future.

Looking forward to it!

>
> In addition to the stuff we found on our network, we also made a  
> couple minor changes to your fingerprints:
> 1) Fixed a spelling mistake ("imags" => "images")

Thanks!

> 2) Removed a check from the Sharepoint section, since it was  
> pointing at a file that wasn't present on our install (the remaining  
> checks detect our Sharepoints nicely, though)
>

We should put it back as I have seen files that appear on one but not  
another based on version, but if we don't know the exact version.....

> I mentioned in my previous reply that fingerprints should maybe all  
> be ANDs, not ORs, but after collecting fingerprints I tend to  
> disagree with my previous position. There are a lot of cases where  
> we had to pick several images, some of which may or may not be  
> present on the site page.

Makes sense.

>
> I still agree with the need for an AND scenario, though.
>
> There are some cases where we weren't sure how specific/general to  
> get. Mainly, we have every version of HP printer you can imagine.  
> For now, we separated them when possible into the different  
> fingerprints, but it seems to me that the versions overlap a lot, so  
> we might want to do one generic "HP Printer" section. Any thoughts  
> on that? I noticed with your fingerprints, they were specific to the  
> model of the printer.

I like the generic option for the overlap and then split out when  
needed.

>
> Another thing we noticed was that some applications use theming  
> based on language. So, the most representative images we could find  
> were in /en/ or /EN/. I'm guessing that could also be de/fr/es/etc,  
> depending on the language. I'm not sure if you want to handle that  
> in any special way, like adding a generic "2-digit-country-code" tag  
> or something.

Something to think about....

Thanks
Kevin

Kevin Johnson
Senior Security Analyst
InGuardians, Inc.
office: 202.448.8958
cell: 904.403.8024

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAkqK7MQACgkQGDcWptZ2zmSo1ACgsXS7YK/cslHDehsfawHNR+QD
4SoAn2h9CJH38hbaWaqE4LtsM0+nFDvn
=DHXI
-----END PGP SIGNATURE-----