Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] Target time out checks

From: Fyodor <fyodor () insecure org>
Date: Sun, 21 Dec 2008 23:50:21 -0800
On Mon, Dec 22, 2008 at 12:36:41AM -0700, Patrick Donnelly wrote:

Currently NSE starts the time out clock for all the hosts in a
runlevel group before beginning the scan. If there is an extremely
large group, some hosts may not be handled before a script thread is
mistakenly timed out (even when it has no connections open). Also, a
script may not actually be accessing that host at the time (whois.nse
will query the whois databse, not the target!!). For this reason, I do
not believe that the Target.timedOut method is appropriate for the
Script Engine.


Hi Patrick.  Good points.  But it is very important to have a timeout
mechanism for NSE to avoid scripts running far longer than is desired.
If I specify "nmap -A --host-timeout 5m scanme.nmap.org", the goal is
that no more than a total of 5 minutes be spent scanning that machine.
So if the 5M elapses during the port scanning phase, neither OS
detection nor NSE should even be run against scanme.  That is the
current design goal.  If 4:58 is already accounted for from port
scanning by the time NSE starts, and so the first scripts have just a
couple seconds to run before they time out, that is OK too.  If a
whois script is querying a registry about scanme, it is appropriate to
charge that time to scanme.

As you note, this time accounting can get more complex when you are
scanning multiple machines.  It may be that NSE doesn't do a very good
job at determining what hosts should be charged for the scripts
running at a given time.  In this case, I think it would be great to
improve the time accounting system!  But I don't think we should
simply scrap it without a replacement at hand.  I'd rather have the 5m
timeout be inexact than fail to function entirely during NSE.  But if
you can create a patch to make timekeeping more accurate (without
increasing complexity too much), that would be great!

Cheers,
-F

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: