Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] Script Dependencies Replacement for Runlevels

From: Fyodor <fyodor () insecure org>
Date: Tue, 10 Nov 2009 18:53:25 -0800
On Tue, Nov 10, 2009 at 09:25:16AM -0600, Ron wrote:

David Fifield wrote:

Once http-spider.nse exists, I'd like to write some scripts that depend
on it. They wouldn't just be helped by http-spider.nse, but they'd
*require* its output to run.


I'm wondering if a library would be better for this sort of need than
"strong dependencies"?  Let's look at these two options in the case of
http-spider:

==As a spidering library:

 o Your script which depends on spidering can pass an argument saying
   what type of content you're interested in (e.g. do you care about
   images at all?  If not, no point in a script like sql-injection
   downloading them)

 o You can pass arguments specifying how deeply you want to spider
   (e.g. stop after 1,000 requests or 5 minutes, whichever comes first)

 o Depending on how the spidering library is architected, you may be
   able to control it interactively (e.g. have it call you back with each
   resource so you can deal with it one page at a time and perhaps
   specify which embedded links you want to (or do not want to) spider
   recursively.

 o The library doesn't request anything if none of the scripts end up
   needing it.  And even if it is needed, it doesn't end up running
   until that point where it will need to be used (because it gets
   called then).

 o The same script or other scripts can call it later if more
   information is needed.  For example, sql-injection may not care
   about images, but http-mirror might.  So http-mirror will call it
   with different arguments and the pages will come from our cache
   while the images will be fetched for the first time.

 o I'm assuming that the worker processes (Patrick's other neat
   pending patch) could be used by a library just as they can by a
   script.

==As a script

 o I guess the script would just have to do something generic like
   fetch a bunch of pages (including images, I suppose), and then stop
   at some point and hope it has gathered whatever the scripts which
   depend on it need.  It can see user-specified NSE arguments, just
   as a library could, but doesn't know anything about the
   requirements of the scripts which depend on it.

For these reasons, it seems to me that a spidering NSE library would
be better than a script, even if we had strong dependencies.

Cheers,
Fyodor
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: