Re: [BUG] Exclusions directive not honored by NSE version detection

[Fyodor <fyodor () insecure org>]

On Thu, Jun 17, 2010 at 05:41:37PM -0500, Kris Katterjohn wrote:
> I have never had a grasp on the inner workings of NSE, but couldn't
> it just not pass the excluded ports to scripts in the version
> category?

That would work too, but I think it has disadvantages:

o Makes the functionality more "mysterious" since the working is in
  the engine and isn't reflected in the scripts.  So you have to know
  about this implicit NSE rule, versus being able to see the behavior in
  scripts.

o Potential issues with the scripts we have which are in "version" and
  other categories too (db2-das-info, db2-info).

o Prevents non-version scripts from making use of the excluded ports
  data.  Also prevents version scripts from overriding it (though I
  doubt they will want to anyway).

I think the implicit approach would be better if we had a huge number
of version scripts.  But the number of that scripts is small enough
(and expected to remain that way) that I think it is better to put the
behavior explicitly in the scripts rather than adding special magic
behavior to the engine.

> Then the --allports option can be used to change this just like for
> service detection.

The --allports option should still work with Djalal's patch too.
Note:

+  // check if the allports option was used
+  if (o.override_excludeports)
+    return 0;

Although I actually think it would be cleaner if we just didn't store
the Excluded ports (e.g. see line 1079 of service_scan.cc) in the first
place when --allports are used.  I think that would be better than
having to remember to always test o.override_excludeports specifically
when we want to check exclude ports.  But its not a big deal.

Cheers,
-F
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/