Nmap Development mailing list archives
Re: [NSE] IDS behavior detection scripts
From: Joao Correa <joao () livewire com br>
Date: Mon, 29 Mar 2010 18:46:04 -0300
Hi David, Thanks for the answer, On Mon, Mar 29, 2010 at 4:42 PM, David Fifield <david () bamsoftware com> wrote:
On Mon, Mar 08, 2010 at 03:50:01AM -0300, Joao Correa wrote:These two scripts were very helpful to me a few days ago, while configuring and testing an IDS in a server. Maybe they could be useful to someone else.I'm trying to decide whether to include these scripts in the distribution. Can you tell us more about the situation they helped you in? That will help us know what the typical use is and whether the scripts are generally useful.
I was configuring an IDS on the server and I wanted to check if it was working correctly.
The main objective of these scripts is trying to identify IDS (or should I call it IPS?) behaviors such as detecting and blocking sql-injections and directory enumeration. I believe that the scripts are self-explained, but if you have any question, I'll be here to answer. If you guys decide that these scripts are interesting enough to be merged to the main trunk, I think that maybe they should get better names and a better output.It would be better if the scripts were not destructive (didn't potentially create a firewall rule) but I guess that is inherent in the way they work. What happens if you run the script twice against the same host? How about if you run it at the same time as sql-injection.nse?
Unfortunately these scripts are a little destructive, because they are based on detecting if a firewall rule is created or not. As you mentioned, this is the way they work. If you run only sql-injection.nse against a server, suddenly you will start receiving timeouts and after that you won't be able to discover any page vulnerable. Also, you won't be noticed why it is happening. If you run the ids detection script at the same time as sql-injection, and a IDS is really running, the sql-injection script will start receiving timeouts, as above mentioned, but at least the user will be noticed about why he is not discovering any vulnerabilities. Considering that the server is running an IDS, simply running the script sql-injection.nse can jeopardize the whole execution of nmap, because it will add firewall rules that, in most cases, are general, blocking all the traffic from that source IP. Maybe, instead of adding the scripts, we could add its functionality to both sql-injection.nse and http-enum.nse. The problem about adding it to sql-injection.nse is that this script depends on spidering the web server, what won't work fine (for ids detection) if your server is hosting only a few pages that takes no parameters (which was my case and motivated me to write the scripts). I suggest that, if you decide that it is a good thing to include the functionality to sql-injection, it runs the ids check before start the vulnerability check (something like coping the ids script to the beginning of the sql-injection script) so it won't have the problem above mentioned. For the http-enum.nse I just think that the script can be easily merged, because it does not depend on spidering the web server before. Hope I've been enough clear, if you have any doubt, just ask! If you think that it is a good choice, I can work on the patches. If you prefer adding the scripts as they were written, I will also be glad. Thanks again, João.
David Fifield
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] IDS behavior detection scripts Joao Correa (Mar 07)
- Re: [NSE] IDS behavior detection scripts David Fifield (Mar 29)
- Re: [NSE] IDS behavior detection scripts Joao Correa (Mar 29)
- Re: [NSE] IDS behavior detection scripts David Fifield (Mar 29)
- Re: [NSE] IDS behavior detection scripts Joao Correa (Mar 29)
- Re: [NSE] IDS behavior detection scripts Joao Correa (Mar 29)
- Re: [NSE] IDS behavior detection scripts David Fifield (Mar 29)