Nmap Development mailing list archives
Re: [NSE] Target time out checks
From: "Patrick Donnelly" <batrick.donnelly () gmail com>
Date: Mon, 22 Dec 2008 04:13:03 -0700
On Mon, Dec 22, 2008 at 12:50 AM, Fyodor <fyodor () insecure org> wrote:
On Mon, Dec 22, 2008 at 12:36:41AM -0700, Patrick Donnelly wrote:Currently NSE starts the time out clock for all the hosts in a runlevel group before beginning the scan. If there is an extremely large group, some hosts may not be handled before a script thread is mistakenly timed out (even when it has no connections open). Also, a script may not actually be accessing that host at the time (whois.nse will query the whois databse, not the target!!). For this reason, I do not believe that the Target.timedOut method is appropriate for the Script Engine.Hi Patrick. Good points. But it is very important to have a timeout mechanism for NSE to avoid scripts running far longer than is desired. If I specify "nmap -A --host-timeout 5m scanme.nmap.org", the goal is that no more than a total of 5 minutes be spent scanning that machine. So if the 5M elapses during the port scanning phase, neither OS detection nor NSE should even be run against scanme. That is the current design goal. If 4:58 is already accounted for from port scanning by the time NSE starts, and so the first scripts have just a couple seconds to run before they time out, that is OK too. If a whois script is querying a registry about scanme, it is appropriate to charge that time to scanme.
That makes more sense thanks for clarifying.
As you note, this time accounting can get more complex when you are scanning multiple machines. It may be that NSE doesn't do a very good job at determining what hosts should be charged for the scripts running at a given time. In this case, I think it would be great to improve the time accounting system! But I don't think we should simply scrap it without a replacement at hand. I'd rather have the 5m timeout be inexact than fail to function entirely during NSE. But if you can create a patch to make timekeeping more accurate (without increasing complexity too much), that would be great!
In order to do the necessary timekeeping the yielded thread would need to signal to NSE somehow that it is safe to stop timekeeping for that host. I'm working on a solution for this. Cheers, -- -Patrick Donnelly "One of the lessons of history is that nothing is often a good thing to do and always a clever thing to say." -Will Durant _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [NSE] Target time out checks Patrick Donnelly (Dec 21)
- Re: [NSE] Target time out checks Fyodor (Dec 21)
- Re: [NSE] Target time out checks Patrick Donnelly (Dec 22)
- Re: [NSE] Target time out checks David Fifield (Dec 22)
- Re: [NSE] Target time out checks Ron (Dec 22)
- Re: [NSE] Target time out checks Fyodor (Dec 21)