Nmap Development mailing list archives
Re: [BUG] Exclusions directive not honored by NSE version detection
From: Djalal Harouni <tixxdz () gmail com>
Date: Wed, 30 Jun 2010 00:06:44 +0100
On 2010-06-21 00:32:54 +0100, Djalal Harouni wrote:
On 2010-06-21 00:29:59 +0100, Djalal Harouni wrote:I hope that the attached patch which correct a small issue will be the last one. On 2010-06-20 12:08:48 -0700, Fyodor wrote:On Thu, Jun 17, 2010 at 05:41:37PM -0500, Kris Katterjohn wrote:I have never had a grasp on the inner workings of NSE, but couldn't it just not pass the excluded ports to scripts in the version category?Yes your solution Kris can work since we can access and check the script categories in nse_main.lua, and perhaps this solution is more suitable when we have lot of version scripts as suggested by Fyodor. What I can say Kris: your proposed solution seems to me that it will also work, but at the moment I don't have a significant overview of Nmap/NSE source code as you, Fyodor or David ... Thx Kris for your feedbacks.That would work too, but I think it has disadvantages: o Makes the functionality more "mysterious" since the working is in the engine and isn't reflected in the scripts. So you have to know about this implicit NSE rule, versus being able to see the behavior in scripts. o Potential issues with the scripts we have which are in "version" and other categories too (db2-das-info, db2-info).For this case I just added a check to my previous patch to let scripts which are in "version" and other categories to run when we don't specify the -sV option, and to let them use the version_port_or_service() portrule. To sum it up: The portrule version_port_or_service() will check if the port/protcol are excluded when we do a service scan (-sV), the --allports is also honored and the excluded list will be ignored. Now if the -sV option is not used then the version_port_or_service() portrule will simply emulate the port_or_service() portrule and ignore the excluded list.o Prevents non-version scripts from making use of the excluded ports data. Also prevents version scripts from overriding it (though I doubt they will want to anyway). I think the implicit approach would be better if we had a huge number of version scripts. But the number of that scripts is small enough (and expected to remain that way) that I think it is better to put the behavior explicitly in the scripts rather than adding special magic behavior to the engine.Then the --allports option can be used to change this just like for service detection.The --allports option should still work with Djalal's patch too. Note: + // check if the allports option was used + if (o.override_excludeports) + return 0;With the new patch the check is: if (!o.servicescan || o.override_excludeports) return 0;aah the patch.
This was commited as r18467. -- tixxdz _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [BUG] Exclusions directive not honored by NSE version detection, (continued)
- Re: [BUG] Exclusions directive not honored by NSE version detection Patrik Karlsson (May 24)
- Re: [BUG] Exclusions directive not honored by NSE version detection Djalal Harouni (Jun 17)
- Re: [BUG] Exclusions directive not honored by NSE version detection Kris Katterjohn (Jun 17)
- Re: [BUG] Exclusions directive not honored by NSE version detection Djalal Harouni (Jun 17)
- Re: [BUG] Exclusions directive not honored by NSE version detection Kris Katterjohn (Jun 17)
- Re: [BUG] Exclusions directive not honored by NSE version detection Djalal Harouni (Jun 19)
- Re: [BUG] Exclusions directive not honored by NSE version detection Kris Katterjohn (Jun 19)
- Re: [BUG] Exclusions directive not honored by NSE version detection Fyodor (Jun 20)
- Re: [BUG] Exclusions directive not honored by NSE version detection Djalal Harouni (Jun 20)
- Re: [BUG] Exclusions directive not honored by NSE version detection Djalal Harouni (Jun 20)
- Re: [BUG] Exclusions directive not honored by NSE version detection Djalal Harouni (Jun 29)
- Re: [BUG] Exclusions directive not honored by NSE version detection Kris Katterjohn (Jun 17)
- Re: [BUG] Exclusions directive not honored by NSE version detection Kris Katterjohn (Jun 21)
- Re: [BUG] Exclusions directive not honored by NSE version detection Djalal Harouni (Jun 26)