Re: [RFC] NSE Re-categorization

[jah <jah () zadkiel plus com>]

On 12/06/2008 23:07, Kris Katterjohn wrote:
> I think "safe" and "intrusive" should be mutually-exclusive, together
> all-encompassing categories.  All scripts should fit into one of these.
> That's not to say that every script should absolutely have one of
> these listed
> in its categories{}, but if a script doesn't fall into a more specific
> category, it will fit in here.  If a script isn't safe, I think it's
> intrusive, and vice versa.  This isn't really changing anything, but
> it may
> give a different viewpoint on these categories.
The current definition of safe as per
http://nmap.org/book/nse-usage.html#nse-categories is:
"Scripts which weren't designed to crash services, use large amounts of
network bandwidth or other resources, or exploit security holes..."
The definition of intrusive:
"These are not intended to crash or damage anything, but are more likely
to leave suspicious logs or otherwise arouse sysadmin ire..."

So I think that either intrusive should include scripts that are
intended to crash services (all in the name of securing ones own
network, of course) or perhaps there should be a category for "exploits"
to include scripts that actively exploit vulnerabilities and could crash
a service or cause an sysadmin alarm - even if the intention is merely
to detect a vulnerability.
> I think "backdoor" should be merged into "malware".  There's no point in
> having two basically synonymous categories.
Aye to that.
> I initially thought that the "discovery" category should be dropped. 
> Is there
> an NSE script which isn't really discovering something?  But Brandon
> pointed
> out that it could just be renamed, and that the name could convey
> something
> along the lines of "extra information".  I can't really think of a
> good name
> for it, however.
Perhaps "Informational"?
> How about a new "credential" (or "login") category?  This can be used
> for NSE
> scripts which attempt a login, such as anonFTP, bruteTelnet, and HTTPAuth.
>
> So here would be the current list of categories:
>
> Default
> Version
> Safe
> Intrusive
> Vulnerability
> Malware
> Credential
> <renamed Discovery>
>
> The first two don't really count because "default" is more of a
> sub-category,
> and "version" is a necessity for some scripts.  So not counting those,
> that
> gives us 6 categories, which is a good place to be.
>
> So, how am I doing?  Do you have complaints about some of the current
> categories?  Do you have any ideas for other new categories?
It looks good.  Using Informational and adding Exploits, you even get a
handy Mnemonic: VICED VIMS (from latin: Grasp with Vigour).


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org