Feature request - better matching of hostnames

Error message

Warning: call_user_func_array() expects parameter 1 to be a valid callback, function 'comment_node_forum_form' not found or invalid function name in drupal_retrieve_form() (line 844 of /var/www/www.gremwell.com/includes/form.inc).

I'm creating a .xsl file to convert report output from a tool to MagicTree. Once finished, I will sent it to you to include it in MagicTree.

Unfortunately, this tool is a web application vulnerability scanner and does not have the IP address in any of its reports.

I can create however a correct host section with missing IP address (aargghh, your filter makes it impossible to include XML):

[host]
[hostname]my.host.name[/hostname]
[ipproto]tcp
...

This will be correctly imported, but not merged with existing data, such as the following existing data:

[host]192.168.1.234
[hostname]my.host.name[/hostname]
...

I believe MagicTree should be intelligent enough to merge these results based on the hostname being the same.

Is it possible to implement this?

Many thanks,

Herman
http://blog.astyran.sg

Hi Herman,

Thanks for asking.

Unfortunately, what you are asking for is not possible, or at least I don't know how to do it.

I'll explain why.

I understand that what you suggest is: if the data we are importing does not contain the IP address of the host, look for host name. If the host name is known, see if this hostname already exists in the tree, and if it does, modify the existing [host] node to use DNS name instead of IP address and transform the import data, so that it also has a [host] name with the DNS name.

I feel that this isn't right. Firstly, the results of data import should not depend on what's already in the tree. You should get exactly the same data, independently of in what order you import files.

Secndly, the merge process does use any knowledge about the data semantics. It acts exactly the same on hosts, ports, findings, foobars, whatever. Modifying it to give special treatment to [host] elements is, in my opinion, wrong.

Finally, it may produce plain broken results. If you have mismatched DNS records, so that forward and reverse lookups do not match, you may end up with findings under wrong hostnames, not because the original tool misreported it, but because MagicTree mangled the data. This is something we want to avoid at all costs. "Garbage in, garbage out" we can't avoid, but "good data in, garbage out" won't do.

Now, the good news is, that I have already run ito the same problem, that web app scanners do not output IP addresses. My solution for it is using a [webapp] as the top-level element.

So, your structure should be something like this:
[webapp]http://my.host.name:12345/whatever/
[url]http://my.host.name:12345/whatever/test.php
[finding class="MtTextObject" title="PHP Info script found"]
PHP info script was found at .... phpinfo() fnction discloses information ...
[/finding]
[/url]
[/webapp]

This won't merge with [host] element coming from another scanner, but that's the best we can do.

You might also contact the authors of the tool and ask them nicely if they can put the IP address in the XML. It often works. :)

Regards,
Alla

Add new comment

CAPTCHA
Please answer the question to prove that you are not a spammer. If it isn't working and you are not a spammer, please email us.
Fill in the blank.