Nmap Development mailing list archives
Re: [BUG] Exclusions directive not honored by NSE version detection
From: Djalal Harouni <tixxdz () gmail com>
Date: Sat, 19 Jun 2010 14:07:49 +0100
A new patch against the latest nmap svn revision is attached. On 2010-06-17 17:41:37 -0500, Kris Katterjohn wrote:
I don't know what all has been discussed in the NSE meetings pertaining to this problem, but why was it decided to use scripts and libraries to handle this sort of thing? I see Fyodor's comments[1] stating he prefers this way, but while I agree other scripts could potentially find this data useful, it seems like this may be the wrong way to go when Version scripts seem to be treated very specially anyway. By this I mean, what was discussed on having NSE examine the exclude list before checking portrules? I have never had a grasp on the inner workings of NSE, but couldn't it just not pass the excluded ports to scripts in the version category? Then the --allports option can be used to change this just like for service detection.
If we do that, this will probably mean that we'll pass and parse the excluded directive two times, one for Nmap version scan and the other one for NSE version scan. The excluded ports list is already in memory stored in the *excludedports* scan_list, and the AllProbes::isExcluded() will simply check it's argument (port and protocol) if they are in the *excludedports*, so we don't need to parse them again simply export a NSE function which will call isExcluded() and returns a boolean to NSE scripts to let them know if the port/protocol are in the *excludedports*. The --allports option is also honored by this patch. The current portrules were not modified, but there is a new *portrule* function version_port_or_service() which must be used by any script who wants to check if the current port and protocol are in the excluded directive. The shortport.port_is_excluded() function is *not* a portrule function, this function can also be used by Version scripts which do not use a shortport function to check if the port.number and port.protocol are excluded, this function is a wrapper of the nmap.port_is_excluded(). The shortport.port_is_excluded() function has been modified as you have suggested to take only a one port and a one protocol arguments. The new portrule function: portrule = shortport.version_port_or_service(9100)
Your new functions for passing the actual list of excluded ports can still be made available for any future scripts which may want to use them as Fyodor mentions. But since version scripts are treated differently, and the exclude list currently only pertains to version detection (it's in the probes file), I don't think many non-version scripts will care about it--and if they do then redoing the exclude list to be placed elsewhere and possibly meaning "unwritable" instead may be more useful for any other future enhancements or new features which will care about this directive.
The version_port_or_service name seems the most appreciated one, since this function is used by version detection scripts, but we can change the name on the future to port_or_service_excluded or something else. Note: this portrule function can be called by any script but for the moment it seems only useful for Version scripts. Tests are welcome, thx. -- tixxdz
Attachment:
nse-exclude.diff
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [BUG] Exclusions directive not honored by NSE version detection Tom Sellers (Apr 30)
- Re: [BUG] Exclusions directive not honored by NSE version detection David Fifield (May 17)
- Re: [BUG] Exclusions directive not honored by NSE version detection Tom Sellers (May 22)
- Re: [BUG] Exclusions directive not honored by NSE version detection Fyodor (May 24)
- Re: [BUG] Exclusions directive not honored by NSE version detection Patrik Karlsson (May 24)
- Re: [BUG] Exclusions directive not honored by NSE version detection Tom Sellers (May 22)
- Re: [BUG] Exclusions directive not honored by NSE version detection David Fifield (May 17)
- Re: [BUG] Exclusions directive not honored by NSE version detection Djalal Harouni (Jun 17)
- Re: [BUG] Exclusions directive not honored by NSE version detection Kris Katterjohn (Jun 17)
- Re: [BUG] Exclusions directive not honored by NSE version detection Djalal Harouni (Jun 17)
- Re: [BUG] Exclusions directive not honored by NSE version detection Kris Katterjohn (Jun 17)
- Re: [BUG] Exclusions directive not honored by NSE version detection Djalal Harouni (Jun 19)
- Re: [BUG] Exclusions directive not honored by NSE version detection Kris Katterjohn (Jun 19)
- Re: [BUG] Exclusions directive not honored by NSE version detection Fyodor (Jun 20)
- Re: [BUG] Exclusions directive not honored by NSE version detection Djalal Harouni (Jun 20)
- Re: [BUG] Exclusions directive not honored by NSE version detection Djalal Harouni (Jun 20)
- Re: [BUG] Exclusions directive not honored by NSE version detection Djalal Harouni (Jun 29)
- Re: [BUG] Exclusions directive not honored by NSE version detection Kris Katterjohn (Jun 17)
- Re: [BUG] Exclusions directive not honored by NSE version detection Kris Katterjohn (Jun 21)
- Re: [BUG] Exclusions directive not honored by NSE version detection Djalal Harouni (Jun 26)
- <Possible follow-ups>
- Fwd: [BUG] Exclusions directive not honored by NSE version detection Tom Sellers (May 14)