Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: version detection guideline

From: Patrick Donnelly <batrick () batbytes com>
Date: Sat, 9 Apr 2011 20:52:09 -0400
Hi Toni,

On Sat, Apr 9, 2011 at 11:55 AM, Toni Ruottu <toni.ruottu () iki fi> wrote:

Should all scripts do version detection?


If a script comes across this information, yes.


At some point I was told that any script that runs into version
information should record that information. There are somethings here
too that are unclear to me. If I write a script that produces serious
output but also records version information, should I then include
that script to the version category. I have understood that you should
not, because the version scripts get enabled automatically when the
user executes a service scan, and the user is not expecting to see
script output. Some scripts that produce output seem to currently be
in the version category, but maybe this is an error.


Right, a script running in the "version script scanning phase"
shouldn't be producing script output. The problem is scripts can
distinguish between the two. I think we (David, Fyodor, and I) talked
about having a versionrule so scripts would know (via SCRIPT_TYPE)
they are supposed to be collecting version information and not
producing other output. A versionrule would basically be the same as a
portrule. Alternatively, NSE may just discard the script output during
the version script scan phase and scripts wouldn't need to worry about
it at all.


From this I would say that one should never include version detection

in a non-version script. The problem in this is that the script
writers may need to write two scripts that are almost identical. The
other one just does outputting and the other one does version
detection. I think this is a good model, and should be encouraged.
Code duplication is a bit boring, but consistent user experience seems
more important to me. It is always possible to have the common parts
in a library, if it is a huge amount of code and might be useful for
other scripts as well.


Well this is why we have different "rules" that trigger the action: so
we can reduce code duplication.

-- 
- Patrick Donnelly
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: