Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] Target time out checks

From: "Patrick Donnelly" <batrick.donnelly () gmail com>
Date: Mon, 22 Dec 2008 04:13:03 -0700
On Mon, Dec 22, 2008 at 12:50 AM, Fyodor <fyodor () insecure org> wrote:

On Mon, Dec 22, 2008 at 12:36:41AM -0700, Patrick Donnelly wrote:

Currently NSE starts the time out clock for all the hosts in a
runlevel group before beginning the scan. If there is an extremely
large group, some hosts may not be handled before a script thread is
mistakenly timed out (even when it has no connections open). Also, a
script may not actually be accessing that host at the time (whois.nse
will query the whois databse, not the target!!). For this reason, I do
not believe that the Target.timedOut method is appropriate for the
Script Engine.


Hi Patrick.  Good points.  But it is very important to have a timeout
mechanism for NSE to avoid scripts running far longer than is desired.
If I specify "nmap -A --host-timeout 5m scanme.nmap.org", the goal is
that no more than a total of 5 minutes be spent scanning that machine.
So if the 5M elapses during the port scanning phase, neither OS
detection nor NSE should even be run against scanme.  That is the
current design goal.  If 4:58 is already accounted for from port
scanning by the time NSE starts, and so the first scripts have just a
couple seconds to run before they time out, that is OK too.  If a
whois script is querying a registry about scanme, it is appropriate to
charge that time to scanme.


That makes more sense thanks for clarifying.


As you note, this time accounting can get more complex when you are
scanning multiple machines.  It may be that NSE doesn't do a very good
job at determining what hosts should be charged for the scripts
running at a given time.  In this case, I think it would be great to
improve the time accounting system!  But I don't think we should
simply scrap it without a replacement at hand.  I'd rather have the 5m
timeout be inexact than fail to function entirely during NSE.  But if
you can create a patch to make timekeeping more accurate (without
increasing complexity too much), that would be great!


In order to do the necessary timekeeping the yielded thread would need
to signal to NSE somehow that it is safe to stop timekeeping for that
host. I'm working on a solution for this.

Cheers,

-- 
-Patrick Donnelly

"One of the lessons of history is that nothing is often a good thing
to do and always a clever thing to say."

-Will Durant

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: