Re: [BUG] Exclusions directive not honored by NSE version detection

[Djalal Harouni <tixxdz () gmail com>]

On 2010-06-21 00:32:54 +0100, Djalal Harouni wrote:
> On 2010-06-21 00:29:59 +0100, Djalal Harouni wrote:
> > I hope that the attached patch which correct a small issue will be the
> > last one.
> >
> > On 2010-06-20 12:08:48 -0700, Fyodor wrote:
> > > On Thu, Jun 17, 2010 at 05:41:37PM -0500, Kris Katterjohn wrote:
> > > > I have never had a grasp on the inner workings of NSE, but couldn't
> > > > it just not pass the excluded ports to scripts in the version
> > > > category?
> > Yes your solution Kris can work since we can access and check the
> > script categories in nse_main.lua, and perhaps this solution is more
> > suitable when we have lot of version scripts as suggested by Fyodor.
> > What I can say Kris: your proposed solution seems to me that it will
> > also work, but at the moment I don't have a significant overview of
> > Nmap/NSE source code as you, Fyodor or David ...
> > Thx Kris for your feedbacks.
> >
> > > That would work too, but I think it has disadvantages:
> > >
> > > o Makes the functionality more "mysterious" since the working is in
> > >   the engine and isn't reflected in the scripts.  So you have to know
> > >   about this implicit NSE rule, versus being able to see the behavior in
> > >   scripts.
> > >
> > > o Potential issues with the scripts we have which are in "version" and
> > >   other categories too (db2-das-info, db2-info).
> > For this case I just added a check to my previous patch to let scripts
> > which are in "version" and other categories to run when we don't specify
> > the -sV option, and to let them use the version_port_or_service()
> > portrule.
> >
> > To sum it up:
> > The portrule version_port_or_service() will check if the port/protcol are
> > excluded when we do a service scan (-sV), the --allports is also honored
> > and the excluded list will be ignored. Now if the -sV option is not used
> > then the version_port_or_service() portrule will simply emulate the
> > port_or_service() portrule and ignore the excluded list.
> >
> > > o Prevents non-version scripts from making use of the excluded ports
> > >   data.  Also prevents version scripts from overriding it (though I
> > >   doubt they will want to anyway).
> > >
> > > I think the implicit approach would be better if we had a huge number
> > > of version scripts.  But the number of that scripts is small enough
> > > (and expected to remain that way) that I think it is better to put the
> > > behavior explicitly in the scripts rather than adding special magic
> > > behavior to the engine.
> > >
> > > > Then the --allports option can be used to change this just like for
> > > > service detection.
> > >
> > > The --allports option should still work with Djalal's patch too.
> > > Note:
> > >
> > > +  // check if the allports option was used
> > > +  if (o.override_excludeports)
> > > +    return 0;
> > With the new patch the check is:
> >
> >     if (!o.servicescan || o.override_excludeports)
> >             return 0;
> aah the patch.
This was commited as r18467.

-- 
tixxdz
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/