Nmap Development mailing list archives
Re: non existent script called with --script=all
From: Fyodor <fyodor () insecure org>
Date: Fri, 24 Apr 2009 16:12:50 -0700
On Thu, Apr 23, 2009 at 05:38:15PM -0400, Michael Pattrick wrote:
Would it be worth while to have Nmap generate the script.db file on the fly if it isn't present on the system, and then simply not distribute it from SVN? After all, its generation isn't computationally intensive.
It is an interesting idea, but I can see some down sides. For example, whenever you do an svn update and get new scripts, you'd need to run --script-updatedb before you would see the new scripts. Also, Nmap is oftwn run by unprivileged users who can't write to the Nmap system-wide scripts directory. So we'd probably need to generate the file at install time. And that seems more complicated and error-prone than our current system. I do think we should make it easier to see changes to the file (e.g. in svn diff) so we can catch these problems more easily. I think there were three factors which contributed to us not catching this smb-check-vulns-2.nse entry: 1) It was a rushed release, and the Conficker changes were checked in right before the release happened. This was because Symantec didn't want the script released publicly until Tuesday. I guess they didn't want to tip off the Conficker authors to the new detection technique. Unfortunately, rushed releases are always a recipe for trouble. 2) (minor) The whitespace in scripts/script.db changed between the version in SVN and the version Ron built. I'm not sure why that was (maybe the Lua core rewrite), but it lead to cheanges in almost every line of script.db showing in the diff. So the bogus smb-check-vulns-2 didn't send out. 3) (minor) There may have been sorting problems with script.db as well. Last year, David changed nse_init.cc to sort scripts.db by filenames. But that functionality may have been lost (along with nse_init.cc as a whole) with the new Lua rewrite of the NSE core. David restored it today with a change to nse_main.cc. Hopefully now we will only see important changes in the diff for script.db commits. And as long as pay attention to those changes and make sure they are reasonable, I hope we can prevent this sort of problem in the future. I don't think this is so serious that we need to do a new release right now (--script=all is probably somewhat rarely used), but we should probably do a new release within a week. Cheers, -F _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- non existent script called with --script=all Nelson (Apr 23)
- Re: non existent script called with --script=all Ron (Apr 23)
- Re: non existent script called with --script=all Michael Pattrick (Apr 23)
- Re: non existent script called with --script=all Brandon Enright (Apr 23)
- Re: non existent script called with --script=all Fyodor (Apr 24)
- Re: non existent script called with --script=all Ron (Apr 27)
- Re: non existent script called with --script=all Michael Pattrick (Apr 27)
- Re: non existent script called with --script=all Fyodor (Apr 27)
- Re: non existent script called with --script=all Fyodor (Apr 27)
- Re: non existent script called with --script=all Kris Katterjohn (Apr 27)
- Re: non existent script called with --script=all Fyodor (Apr 27)
- Re: non existent script called with --script=all Kris Katterjohn (Apr 27)
- Re: non existent script called with --script=all David Fifield (Apr 27)
- Re: non existent script called with --script=all Michael Pattrick (Apr 27)
- Re: non existent script called with --script=all Michael Pattrick (Apr 23)
- Re: non existent script called with --script=all Ron (Apr 23)
- Re: non existent script called with --script=all Ron (Apr 28)