Nmap Development mailing list archives

Re: Updates to http-enum.nse

From: Fyodor <fyodor () insecure org>
Date: Fri, 21 Aug 2009 23:47:39 -0700

On Fri, Aug 21, 2009 at 09:09:06AM -0500, Ron wrote:


I agree that the script should only show 200 by default, but give an 
option to show others. That makes sense. You're going to miss hidden 
folders, by by default Apache hides certain things so that kinda makes 
sense.


Sounds reasonable.  If there are cases where we want to show other
status codes, perhaps the signature line format could be modified to
permit that.

Regarding including the status code, that is sort of an issue with the 
different purposes of Yokoso vs Nmap. Yokoso doesn't care what the 
status code is, but rather a binary: the user has been to the page, or 
the user hasn't. Nmap, on the other hand, cares of the page exists. I'm 
sure there must be a way to get the best of both worlds, of course -- 
maybe optional fields or something?


Good point.

Another serious issue involves inclusion of the Yokoso DB.  You say:


It looks like they are OK with the Nmap license, so it is OK to put in
as long as we note that permission (and I'd even suggest a link to
http://seclists.org/nmap-dev/2009/q3/0685.html.

I think the best bet is to have multiple fingerprint files of the same 
format. Yokoso, defaults, extended, etc. Then the script can load 
whatever it sees fit.


That seems reasonable.

Is it ok if I commit what I have in http-enum.nse? I'll leave out the 
yokoso file for now, and provide instructions to download it. I strongly 
suspect that the current http-enum.nse works at least as well as the 
previous version.


That sounds fine to me.  It sounds like you've already tested it quite
a bit.  The Yokoso file is now fine from a copyright perspective
(subject to ther permissions text being added).  However, it sounds
like some of the improvements we've discussed may be warranted before
inclusion of that part.

Cheers,
-F

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

Updates to http-enum.nse Ron (Aug 20)
- Re: Updates to http-enum.nse Fyodor (Aug 21)
  - Re: Updates to http-enum.nse Ron (Aug 21)
    - Re: [Yokoso-devel] Updates to http-enum.nse Kevin Johnson (Aug 21)
    - Re: [Yokoso-devel] Updates to http-enum.nse Fyodor (Aug 22)
    - Re: Updates to http-enum.nse Fyodor (Aug 22)
    - Re: Updates to http-enum.nse Ron (Aug 22)
    - Re: Updates to http-enum.nse Ron (Aug 22)
    - Re: Updates to http-enum.nse Fyodor (Aug 22)
- Re: Updates to http-enum.nse Ron (Aug 22)
  - Re: Updates to http-enum.nse David Fifield (Aug 23)
    - Re: Updates to http-enum.nse Ron (Aug 23)