Re: Zenmap Compare really broken?

[David Fifield <david () bamsoftware com>]

On Fri, May 30, 2008 at 08:58:30PM -0700, Fyodor wrote:
> On Fri, May 30, 2008 at 05:11:05PM -0600, David Fifield wrote:
> > On Sat, Dec 15, 2007 at 11:24:33AM -0600, Kris Katterjohn wrote:
> > You still don't get anything from the HTML browser view, because that
> > only compares the text outputs. Now it gives a more helpful error
> > message explaining the situation instead of claiming you haven't
> > selected two scans yet. I decided to allow it to open the browser if
> > even one of the scans has text output, although it's not very helpful if
> > only one does because you get an all-insertions or all-deletions diff.
>
> It sure would be great if Zenmap made a smarter diff.  After all, I
> can easily take two Nmap normal-format output files and run diff on
> them.  But Zenmap has the big advantage of actually parsing and
> understanding the Nmap XML output.  So it could, theoretically, give a
> much more useful picture of what has changed in terms of new/removed
> host or new/removed listening services (and ideally it could handle
> misc. changes like OS detection, MAC address, NSE results, etc.)

Agreed. Current Zenmap comparison is not helpful. Part of Jurand's
Summer of Code proposal has to do with this:

  As far as additional functionality is concerned I would propose to
  include an option to analyze changes between consecutive scans. Here
  by changes I do not mean differences between output as already
  implemented by the compare output files option. When administering a
  sizeable network of computers one frequently runs the same scan
  periodically to detect any new vulnerability. Instead of analyzing the
  results each time, there could be a tab showing only the changes
  (e.g., new services started or ports opened) to immediately see if
  there is anything new that needs to be analyzed or addressed.

We have scheduled this for later in the summer so that it has time for
design.

I would like to see diff output something like this:

10.0.0.1: changed from down to up.
10.0.0.1: port 22/tcp changed from unknown to open.
10.0.0.1: 1664 ports changed from unknown to filtered.
10.0.0.2: reverse DNS changed from "mail.site.whatever" to "www.site.whatever".
10.0.0.2: service on port 10250 changed from "Foobar 1.99" to "Foobar 2.00".
10.0.0.2: port 80/tcp changed from open to closed.
etc.

The hard part, I think, is designing the interface for specifying that
two scans are "the same scan," just displaced in time. It's easy enough
to just have the user manually select two scans to compare, but a higher
degree of sophistication would be better. For example, say you have a
scan you run every day. Zenmap should be able to give you a nice report
with output like I showed above for every day in a long sequence, like
this:

February 24, 2008
10.0.0.1: changed from down to up
...

February 25, 2008
10.0.0.2: port 80/tcp changed from closed to filtered.
...

February 26, 2008
10.0.0.1: changed from up to down
...

The trick is to find a way to say that these scans all belong to the
same "chain." It shouldn't require selecting each one from a file
chooser. We could just force the user to keep related scan results in a
single directory, as they probably do anyway. Or perhaps it can be made
an attribute of a profile which "chain" the scan results belong to.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org