Nmap Development mailing list archives
Re: Zenmap Compare really broken?
From: David Fifield <david () bamsoftware com>
Date: Sat, 31 May 2008 15:44:08 -0600
On Fri, May 30, 2008 at 08:58:30PM -0700, Fyodor wrote:
On Fri, May 30, 2008 at 05:11:05PM -0600, David Fifield wrote:On Sat, Dec 15, 2007 at 11:24:33AM -0600, Kris Katterjohn wrote: You still don't get anything from the HTML browser view, because that only compares the text outputs. Now it gives a more helpful error message explaining the situation instead of claiming you haven't selected two scans yet. I decided to allow it to open the browser if even one of the scans has text output, although it's not very helpful if only one does because you get an all-insertions or all-deletions diff.It sure would be great if Zenmap made a smarter diff. After all, I can easily take two Nmap normal-format output files and run diff on them. But Zenmap has the big advantage of actually parsing and understanding the Nmap XML output. So it could, theoretically, give a much more useful picture of what has changed in terms of new/removed host or new/removed listening services (and ideally it could handle misc. changes like OS detection, MAC address, NSE results, etc.)
Agreed. Current Zenmap comparison is not helpful. Part of Jurand's Summer of Code proposal has to do with this: As far as additional functionality is concerned I would propose to include an option to analyze changes between consecutive scans. Here by changes I do not mean differences between output as already implemented by the compare output files option. When administering a sizeable network of computers one frequently runs the same scan periodically to detect any new vulnerability. Instead of analyzing the results each time, there could be a tab showing only the changes (e.g., new services started or ports opened) to immediately see if there is anything new that needs to be analyzed or addressed. We have scheduled this for later in the summer so that it has time for design. I would like to see diff output something like this: 10.0.0.1: changed from down to up. 10.0.0.1: port 22/tcp changed from unknown to open. 10.0.0.1: 1664 ports changed from unknown to filtered. 10.0.0.2: reverse DNS changed from "mail.site.whatever" to "www.site.whatever". 10.0.0.2: service on port 10250 changed from "Foobar 1.99" to "Foobar 2.00". 10.0.0.2: port 80/tcp changed from open to closed. etc. The hard part, I think, is designing the interface for specifying that two scans are "the same scan," just displaced in time. It's easy enough to just have the user manually select two scans to compare, but a higher degree of sophistication would be better. For example, say you have a scan you run every day. Zenmap should be able to give you a nice report with output like I showed above for every day in a long sequence, like this: February 24, 2008 10.0.0.1: changed from down to up ... February 25, 2008 10.0.0.2: port 80/tcp changed from closed to filtered. ... February 26, 2008 10.0.0.1: changed from up to down ... The trick is to find a way to say that these scans all belong to the same "chain." It shouldn't require selecting each one from a file chooser. We could just force the user to keep related scan results in a single directory, as they probably do anyway. Or perhaps it can be made an attribute of a profile which "chain" the scan results belong to. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Re: Zenmap Compare really broken? David Fifield (May 30)
- Re: Zenmap Compare really broken? Kris Katterjohn (May 30)
- Re: Zenmap Compare really broken? Fyodor (May 30)
- Re: Zenmap Compare really broken? David Fifield (May 31)
- Re: Zenmap Compare really broken? Fyodor (May 31)
- Re: Zenmap Compare really broken? bensonk (May 31)
- Re: Zenmap Compare really broken? Jabra (May 31)
- Re: Zenmap Compare really broken? David Fifield (May 31)