Re: Safe and Intrusive Category confusion

[Fyodor <fyodor () insecure org>]

On Wed, Sep 30, 2009 at 08:53:50PM -0600, David Fifield wrote:
> I with you on the special handling of the version scripts and
> smtp-open-relay.nse. I agree with the "not safe" ones too. There are a
> couple, as you said, under "Safe" that could go either way, but the list
> above looks good to me.

OK, I just made the changes.  I had a change of heart on a couple issues though:

o I kept dhcp-discover out of the "safe" category, since it does
  reserve an IP address from the server.  I think "default" scripts
  should generally be in the "safe" category, but I guess they don't
  always have to be.  If someone wants only safe default scripts, they
  can specify "--script default and safe".  That is even one of the
  examples given in the Nmap man page.

o I kept the intrusive category.  My current thought is that it can be
  useful for two reasons:
  1) It helps us find improperly classified scripts.  A simple grep
     for scripts which aren't in safe, intrusive, or version does the
     trick.
  2) It reminds people who are looking at the script (e.g. in nsedoc
     or reading the source file) that the script has been classified as
     intrusive, so they should be particularly careful in running it.

Cheers,
Fyodor

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org