Re: [RFC] Zenmap search interface overhaul

[David Fifield <david () bamsoftware com>]

On Tue, May 27, 2008 at 06:56:12PM -0700, Fyodor wrote:
> On Fri, May 23, 2008 at 04:33:50PM -0600, David Fifield wrote:
> > On Fri, May 23, 2008 at 03:09:07AM +0200, Vladimir Mitrovic wrote:
> > What search needs do you have? Do you currently use custom scripts to
> > search through your saved Nmap scans, or does nobody really need to do
> > that? If people only need to do simple searches, then the search
> > function should be simple too. Or maybe you could do more if only you
> > had a more powerful search tool.
>
> Also, I might have an ssh brute force tool and so I want to limit the
> results to just the machines with tcp port 22 open (or open|filtered,
> I suppose, though that's mostly useful for UDP) or a service
> discovered on any port with the service name ssh.

I don't think this is something Vladimir or I had considered (I know I
hadn't). I was thinking only of this situation:

> There is also the issue of "searching for a historical scan to open".
> That isn't something I do as frequently.

That is, I was thinking of this as duplicating the functionality of the
current Zenmap search window with a much improved user interface.

I can see the value of filtering the results of a single scan. (Or when
Zenmaps gains the ability to aggregate several scans in one display, it
could filter those too.) Vladimir didn't really sign on for this, so I'd
like to get his opinion on if this is too much for this stage of the
summer.

Perhaps the two search/filtering functions could use the same underlying
mechanism. For example, running a query against a scan could return a
"results set" of hosts that match the query. (Do we need results other
than a list of hosts?) In the historical searching scenario, the search
engine would run a query against all the hosts it finds and return the
ones with a non-empty results set. Of course in this case it could be
configured to short-circuit and return a scan when the first result is
found.

At any rate it seems to be desirable to implement the "historical scan"
search in a way that would help with a filtering feature.

Zenmap already has a primitive version of this filtering ability, the
ability to select only hosts with a certain port open:

http://nmap.org/book/zenmap-results.html#zenmap-sort-service

This corresponds to a search string of "portstate:open,open|filtered|filtered",
plus "port:" and a given port. Naturally once this feature was available
we would use it to implement this and richer filters.

David

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org