4

I run a nmap scan of my hosts daily to check for open ports. 

sudo nmap -f -sS -sV --log-errors -append-output -p1-9999 host.com

But along with the output I get a long list of fingerprint submissions for unrecognized ports like this 

==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port4000-TCP:V=5.21%I=7%D=2/9%Time=4F30CAC%P=x86_64-redhat-linux-gnu%r
SF::\r\nERR\x20UNKNOWN_COMMAND\x20Unknown\+server\+commandCSeq:\r\nERR\x20
-------------------------------------------

How do I remove these from my nmap reports?

Quintin Par
  • 4,493

3 Answers3

2

There is no way to keep Nmap from outputting this information, other than to submit the fingerprints as The Unix Janitor suggested in his comment. Along those lines, you could try using the latest version of Nmap (5.51 or 5.61TEST5); over 700 new service fingerprints have been added since the version you are using.

To strip the unwanted output from your scan results, try this Perl one-liner:

perl -ne 'if(/NEXT SERVICE FINGERPRINT/){$f=1}else{$f=0 if $f and not /^SF/}print unless $f'

That will strip the fingerprints out. If you are concerned about parsing the output, I would encourage you to use the XML output instead, since the structure of the normal output can change from version to version.

bonsaiviking
  • 4,490
0

here is an alternative approach using sed instead of perl:

sed -e '/^[=]+NEXT SERVICE FINGERPRINT/,/^----/{d;}'

The format that nmap dumps seems to have changed since the original post. I'm seeing results that look like this:

| fingerprint-strings:
|   GetRequest:
|     HTTP/1.0 200 OK
--- (lines removed for brevity) ----
|     <meta charset="UTF-8">
|_    <!-- safari rejects 3rd party cookies when running inside iframe so all client requests must include customer id in
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port443-TCP:V=7.94SVN%T=SSL%I=7%D=12/6%Time=6753D374%P=x86_64-pc-linux-
SF:gnu%r(GetRequest,1000,"HTTP/1\.0\x20200\x20OK\r\nAccept-Ranges:\x20byte
---- (lines removed for brevity) ----
SF:0client\x20requests\x20must\x20include\x20customer\x20id\x20in");

Here is a sed that removes these:

 sed -e '/^| fingerprint-strings:/,/^|_/{d;}' -e '/^SF[-:]/{d;}' -e '/please submit the following fingerprint/{d;}'

Here is how this latter sed works, looking at each expression (-e):

  1. /a/,/b/ matches all lines between and including those that match "a" and "b". And {d;} is a command to delete the matching line. (Not all Unixes require the ; in {d;} but some do, so I use it. I don't think it breaks any versions of unix, but if this fails, try removing it.) So we remove everything between the lines that start with | fingerprint-strings: and |_ (Caret, ^, marks the start of a line.)
  2. /^SF[-:]/ matches any line that starts with SF and either a - or : and again, we use {d;} to delete
  3. The last expression is similar to #2 but we don't require the string to be at the beginning of the line we want to delete.
mr paul
  • 73
0

You might consider using the XML output format and parsing that (there is a Perl library to parse it, but any XML parser would work) rather than the default semi-structured text output. In the default output format I am not aware of a way to suppress those messages.

Evan Anderson
  • 142,957