Re: Safe and Intrusive Category confusion

[David Fifield <david () bamsoftware com>]

On Tue, Sep 22, 2009 at 11:22:43PM -0500, Kris Katterjohn wrote:
> On 09/22/2009 08:12 PM, David Fifield wrote:
> > On Sat, Sep 19, 2009 at 02:41:07AM -0400, Patrick Donnelly wrote:
> > > I just was recently looking through some of the scripts' categories
> > > and found some inconsistencies. Some of our scripts do not have an
> > > intrusive or safe category. In previous discussions [1], the general
> > > consensus was that safe and intrusive would be mutually exclusive
> > > categories and each script would be in one of these two categories. I
> > > did a check through our scripts to see which scripts were not safe and
> > > not intrusive:
> > >
> > > (I edited one extraneous line out and one should note that the last
> > > script, ssh-hostkey.nse is both safe AND intrusive??). I want to go
> > > ahead and fix these scripts but wanted to make sure that having each
> > > script be "safe" XOR "default" is the way to go?
> >
> > If this is the case, what do you think about deprecating intrusive and
> > using "not safe" instead?
> >
> > I was trying to think of a reason not to have the safe XOR intrusive
> > rule, but I couldn't think of any scripts that would be considered both
> > safe and intrusive, or both not safe and not intrusive.
>
> When I was first talking about the mutually exclusive, all encompassing Safe
> and Intrusive categories, they weren't supposed to be necessary categories for
> scripts to be placed into.  It was more like stressing a script is safe (or
> whatever), or used when a script didn't really fall into any other category.
> A script wasn't supposed to require either and not strictly considered either
> (although it could always fit in one or the other).
>
> Dropping Intrusive and using "not safe" doesn't really allow for this.  Now
> every script that is safe must be categorized explicitly as Safe or its would
> now be implicitly categorized as "intrusive" (not safe).
>
> While I guess this may not pose a great concern, it does say that any script
> not categorized as Safe is thrust into the "category" or "not safe".  While
> this was of course the way it was before, "not safe" != "intrusive" since
> scripts didn't have to say one way or another.  It wasn't required.
>
> By this I mean every script should always have fit into Safe or Intrusive, but
> they didn't have to.  Now they do because "not safe" would be equivalent to
> "intrusive", since this would be all encompassing.
>
> Hmm... but after rereading this, I realize I may have been more stuck on rules
> than practicality :)

I got caught up in this line of thinking too. I had a message
half-composed where I was going to claim that some scripts should be
neither safe nor intrusive, or that it somehow made sense for
ssh-hostkey.nse to be both safe and intrusive. But I couldn't think of
any reasons to back it up, and the descriptions of
http://nmap.org/book/nse-usage.html#nse-categories suggest that we have
been thinking about "not safe" and "intrusive" as the same thing.

        "Scripts which weren't designed to crash services, use large
        amounts of network bandwidth or other resources, or exploit
        security holes are categorized as safe."

        "[intrusive scripts] are scripts that cannot be classified in
        the safe category because the risks are too high that they will
        crash the target system, use up significant resources on the
        target host (such as bandwidth or CPU time), or otherwise be
        perceived as malicious by the target's system administrators."

> Also: while I doubt anybody likes this idea, if we were to drop one of the
> categories I think it should be Safe.  I think it's more plausible for scripts
> to be required to explicitly call themselves Intrusive than Safe.  You have to
> make a script "not safe".  Besides, Intrusive scripts can do no harm and Safe
> scripts could accidently cause problems.  But I'm sure there are more
> arguments against this than I can already foretell :)

I see this the exact opposite way--that explict labeling of safe is the
way to guard against accidentally running unsafe scripts. If "safe" is
the only category and you run --script=safe, and there's a safe script
that wasn't put in the "safe" category, the only harm is that one
potential script is not run. If "intrusive" is the only category and you
run --script="not intrusive", and there's an instrusive script that was
mistakenly not put in the "intrusive" category, then you will run an
unsafe script.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org