Re: [NSE] IDS behavior detection scripts

[David Fifield <david () bamsoftware com>]

On Mon, Mar 29, 2010 at 09:01:41PM -0300, Joao Correa wrote:
> On Mon, Mar 29, 2010 at 8:37 PM, David Fifield <david () bamsoftware com> wrote:
> > On Mon, Mar 29, 2010 at 06:46:04PM -0300, Joao Correa wrote:
> > > On Mon, Mar 29, 2010 at 4:42 PM, David Fifield <david () bamsoftware com> wrote:
> > > > > The main objective of these scripts is trying to identify IDS (or
> > > > > should I call it IPS?) behaviors such as detecting and blocking
> > > > > sql-injections and directory enumeration. I believe that the scripts
> > > > > are self-explained, but if you have any question, I'll be here to
> > > > > answer. If you guys decide that these scripts are interesting enough
> > > > > to be merged to the main trunk, I think that maybe they should get
> > > > > better names and a better output.
> > > >
> > > > It would be better if the scripts were not destructive (didn't
> > > > potentially create a firewall rule) but I guess that is inherent in the
> > > > way they work. What happens if you run the script twice against the same
> > > > host? How about if you run it at the same time as sql-injection.nse?
> > >
> > > Unfortunately these scripts are a little destructive, because they are
> > > based on detecting if a firewall rule is created or not. As you
> > > mentioned, this is the way they work.
> > >
> > > If you run only sql-injection.nse against a server, suddenly you will
> > > start receiving timeouts and after that you won't be able to discover
> > > any page vulnerable. Also, you won't be noticed why it is happening.
> > >
> > > If you run the ids detection script at the same time as sql-injection,
> > > and a IDS is really running, the sql-injection script will start
> > > receiving timeouts, as above mentioned, but at least the user will be
> > > noticed about why he is not discovering any vulnerabilities.
> >
> > If you run http-ids-enum a second time against the same host, and the
> > host has a firewall rule from the first time you ran it, what is the
> > output? Does the script report that it got no response? It won't be able
> > to send one request and detect rejections after that, which is one of
> > its detection modes.
>
> In this case, the output would be only a debug message "No response
> from server".
>
> But, if a firewall rule is already set, nmap won't detect the port as
> open, and the script won't be triggered due to portrules.

After thinking about this a while, my opinion is that these scripts
shouldn't be included with Nmap. I like the idea but they are so
specialized and require such careful usage that most users aren't going
to benefit from them. I think it's best to leave these in the mailing
list archives where someone who is doing targeted IDS detection can find
them.

I'm open to having my mind changed. Any thoughts or alternatives?

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/