Nmap Development mailing list archives
Re: [NSE] New script dns-blacklist
From: Duarte Silva <duarte.silva () serializing me>
Date: Fri, 06 Jan 2012 16:08:31 +0000
Hi all, finally, I feel comfortable with the solution developed in order to add the ability to configure providers using script arguments in the DNSBL library. I kept Patrik solution of adding the "new" function to each service and ended up also, implementing Patrik's idea on the "fmt_query" function (removed my "check" function, in this case I opted for a more complex logic instead of code increase). I added three new providers: - ATTACK - all.bl.blocklist.de - dnsbl.httpbl.org - PROXY - tor.dan.me.uk As usual patch follows in the attachments (the patch also removes tabs some misplaced tabs). Two questions: - Shouldn't the Zeus tracker script (dns-zeustracker.nse) be merged into the DNSBL library? Maybe not, since it's to specific? Or maybe we can reuse some code in the library? What do you think? - I feel that the "ATTACK" category can be changed to a more generic category, like "THREAT"? Regards, Duarte Silva On Monday 02 January 2012 21:52:33 Patrik Karlsson wrote:
Hi Patrik,There was no patch for the first two services attached to your post? I checked them out and they both seem interesting, the first one would probably fit under the PROXY section, while the second one shouldprobablygo into a category called ATTACK or similar?No sory, I dind't send the patch. I wanted to do it once I had added the three providers. Yes, the first one is in the PROXY category and the second one I created the ATTACK category. The output of "dns-blacklist.list" is the following: Pre-scan script results: | dns-blacklist: | ATTACK | | all.bl.blocklist.de | dnsbl.httpbl.org | | dnsbl.httpbl.org.apikey - the http:BL API key | | PROXY | | dnsbl.ahbl.org | socks.dnsbl.sorbs.net | misc.dnsbl.sorbs.net | http.dnsbl.sorbs.net | tor.dan.me.uk | dnsbl.tornevall.org | | SPAM | | dnsbl.ahbl.org | dnsbl.inps.de | bl.nszones.com | l2.apews.org | list.quorum.to | all.spamrats.com | bl.spamcop.net | spam.dnsbl.sorbs.net | |_ sbl.spamhaus.org You can see that it is listing the API key argument that must be specified for the "dnsbl.httpbl.org" provider.In regards to the third one I think it both looks interesting andsomethingto add. For the key part I don't think it's very difficult to do with the existing library. One way of doing it would be to get a script argument with the key in the fmt_query function of each services that needs one. Check out the first service in the list, it has a fmt_query function to show how it works. I guess it could look something like this: fmt_query = function(ip) local rev_ip = dns.reverse(ip):match("^(.*)%.in%-addr%.arpa$") local key = stdnse.get_script_args("dnsbl.key.dnsbl.httpbl.org") if ( not(key) ) then return end return ("%s.%s.dnsbl.httpbl.org"):format(key,rev_ip) end I guess the checkBL function would need to be patched to handle an empty response from the fmt_query function.I have a somewhat similar solution. You can check the patch, it isn't fully implemented though.Cheers, PatrikHi Duarte, I changed so that each service now has a "new" function through which it can be instantiated. This way it can get the configuration there and it does no longer have to be passed to each and every function. Maybe this is a bit too ambitious or just a bad idea, as most of the services don't have any benefit of this? I've attached a patch against SVN but haven't done any extensive testing of the change. Cheers, Patrik
Attachment:
dnsbl.patch
Description:
Attachment:
smime.p7s
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [NSE] New script dns-blacklist Duarte Silva (Jan 02)
- Re: [NSE] New script dns-blacklist Patrik Karlsson (Jan 02)
- Re: [NSE] New script dns-blacklist Duarte Silva (Jan 02)
- Re: [NSE] New script dns-blacklist Patrik Karlsson (Jan 02)
- Re: [NSE] New script dns-blacklist Duarte Silva (Jan 03)
- Re: [NSE] New script dns-blacklist Duarte Silva (Jan 06)
- Re: [NSE] New script dns-blacklist Duarte Silva (Jan 06)
- Re: [NSE] New script dns-blacklist Duarte Silva (Jan 02)
- Re: [NSE] New script dns-blacklist Patrik Karlsson (Jan 02)
- Re: [NSE] New script dns-blacklist Arne Martin Wandsvig (Jan 07)
- Re: [NSE] New script dns-blacklist Patrik Karlsson (Jan 08)
- Re: [NSE] New script dns-blacklist Patrik Karlsson (Jan 08)
- Re: [NSE] New script dns-blacklist Duarte Silva (Jan 08)
- Re: [NSE] New script dns-blacklist Patrik Karlsson (Jan 15)