Nmap Development mailing list archives
Re: [RFC] Zenmap search interface overhaul
From: Kris Katterjohn <katterjohn () gmail com>
Date: Thu, 22 May 2008 20:43:14 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Vladimir Mitrovic wrote:
Hi all,
Hey Vladimir,
The "and" operator is implicit, and I don't think we will ever need an "or" operator. Having the "and" operator implicit makes it easier for us to parse the string, without resorting to more advanced concepts such as syntax trees.
I agree with an implicit AND being good, but I think OR can sometimes be very useful: "opt:v or opt:d"
It also allows us to make runtime searches while the query is being entered, since we don't need an entire string in order to run the search. So in the first example above, when you finish typing "opt:O" the results list is already populated with all OS detection scans, and the subsequent date constraint is only applied to the results list (fast!).
Nice.
In Wireshark, the input box background is red when the string being entered is illegal, and turns green when it becomes a legal string. Very cool! Also, we
Definitely :)
can add a one second "cooldown" time - we only run a search after 1s of keyboard inactivity (1.5s? 0.5s?). Parsing can take place on every keystroke because it generally takes much less time than searching.
I like this idea, and 1s sounds good to me.
Sorry for the long e-mail! Now where I need most help from the community is deciding on search keywords. The search string syntax will have to be well defined before I start any coding, and it will probably be a mess to modify it later. To sum up: o "Bare" search strings (without an operator) match anything, anywhere in the scan's output (like that "apache" example, above).
Yes.
o The "and" operator is implicit
Yes.
o Various fields in the scan are mapped to operators: // operator (alias) - description name: (n:) - Name of the scan target: (t:) - Scan target(s) opt: (o:) - Scan options (this includes everything in the command line, except "nmap" and the target list) date: (d:) - Date when scan was performed osclass: (os:) - The detected OS oports: (op:) - Open ports discovered in a scan cports: (cp:) - Closed ports discovered in a scan (I think I nailed the most important ones, but input is most appreciated!)
Do you plan on these being able to be combined, like "opt:d,sV", or will they be separate like "opt:d opt:sV" ? How about a generic operator for port state, rather than oports and cports? Like "portstate:open,open|filtered". There are a lot of port states which you would need to take into account for separate operators (I like the ACK Scan which can give the "unfiltered" state for stateless firewalls, for instance). What about options which take additional arguments, like - --version-intensity ? I may have missed it, but how would I be able to search on the arguments passed? Going along with the last one, I think "==", "<", ">", "<=", etc operators would be useful, and can be used like "opt:version-intensity == 9" or whatever. I noticed you mentioned syntax containing these operators, but were you talking specifically about them?
I'm looking forward to discussing these ideas further. Cheers, Vladimir
Thanks, Kris Katterjohn -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIVAwUBSDYhL/9K37xXYl36AQIaGQ/8CxjDS666ORbxFSUeLBndcTvI/Zl3Zyq/ OO8kCXRAl9ZsfeuewG4cGAfvYiohwkScwSklRfCvXJKVGR89YFsD5NxKBSv1J3pw GveuTmr7M8Cm86JIwZ9ku7wwklEdlFvT2Ra4N7NZlQTilrJ2FQgGurPkv55mCwD8 ENyjQRiEx0FWrn6QK1AQu2Hb13HgzzWbugG3g6oGhJBB6B6TOnxHG7xKfbe6r5v1 2R7U080hE2df+cEyi6kceDXzRTCkbh8rE25F56q3Irk/UAfl2S2TPc410f59B+gz Wd6+EcaMCuISbdJMv9mNgRqjAnKVmEd/zzy/1PA6aOCojEr4CqDCLJJFRKV3kOBE yMuZFbHEzOaK4E3XW/UcCKo4NeNy8f2ny61Fk525pl5yb4rsUsauO7NlSnJYFa12 byVO1pT4Slm4ejhQFSD7iKyuLVEKkOLiuLmXrQXZyk0YBLZ32OnuebmyigdqTqlD N/rlFOd4ItSHEU5075a4VvG214RmQEFQDzdaamRmbgZ7AamjDQNxNuadJeN++Ur5 7NBVZHIXxv4iekKHH3SR6Xp2UNtIXsr0L50H9ixoTZ7Tq5tid9f9omXnWxmZ4KCL 2bzNLXkcVYTl9+65HaxebT7bgTtlz1T7yOXLM4cP3kz1TohPa7hcTbDnKS/sheId dPTb9Wt1EEA= =tGxz -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [RFC] Zenmap search interface overhaul Vladimir Mitrovic (May 22)
- Message not available
- Re: [RFC] Zenmap search interface overhaul Vladimir Mitrovic (May 22)
- Message not available
- Re: [RFC] Zenmap search interface overhaul Kris Katterjohn (May 22)
- Re: [RFC] Zenmap search interface overhaul Vladimir Mitrovic (May 23)
- Re: [RFC] Zenmap search interface overhaul jah (May 23)
- Re: [RFC] Zenmap search interface overhaul Vladimir Mitrovic (May 23)
- Re: [RFC] Zenmap search interface overhaul David Fifield (May 23)
- Re: [RFC] Zenmap search interface overhaul eldraco (May 23)
- Re: [RFC] Zenmap search interface overhaul Vladimir Mitrovic (May 24)
- Re: [RFC] Zenmap search interface overhaul Vladimir Mitrovic (May 26)
- Re: [RFC] Zenmap search interface overhaul David Fifield (May 27)
- Re: [RFC] Zenmap search interface overhaul Vladimir Mitrovic (May 27)
- Re: [RFC] Zenmap search interface overhaul Vladimir Mitrovic (May 27)
- Re: [RFC] Zenmap search interface overhaul eldraco (May 23)