Re: Qscan in NSE: qscan.nse

[Kris Katterjohn <katterjohn () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/20/2010 11:10 PM, David Fifield wrote:
> On Fri, Mar 19, 2010 at 12:09:20PM -0500, Kris Katterjohn wrote:
> > So any report on how the script is actually working?  If more changes are
> > wanted, I'll stick it in nmap-exp/kris somewhere to avoid any more attachments.
>
> It looks good to commit to me, just with some more documentation. Most
> important is a section on how to interpret the results. Explain what it
> means for ports to be in different "families." Document what the units
> are in the MEAN column (milliseconds?), or even better, just put "ms" in
> the output table.
>
> There should be a paragraph explaining what's going on: mean and stddev
> of RTT are calculated over multiple sends to a port. I don't think a
> reference to the Student's t-test is out of place, as long as it's not
> in the first paragraph.
>
> Also mention that it tests both open and closed ports--that surprised me
> at first.

OK, these changes sound good and I've committed the updated script.  Here's
the description now:

Repeatedly probe open and/or closed ports on a host to obtain a series
of round-trip time values for each port.  These values are used to
group collections of ports which are statistically different from other
groups.  Ports being in different groups (or "families") may be due to
network mechanisms such as port forwarding to machines behind a NAT.

In order to group these ports into different families, some statistical
values must be computed.  Among these values are the mean and standard
deviation of the round-trip times for each port.  Once all of the times
have been recorded and these values have been computed, the Student's
t-test is used to test the statistical significance of the differences
between each port's data.  Ports which have round-trip times that are
statistically the same are grouped together in the same family.

This script is based on Doug Hoyte's Qscan documentation and patches
for Nmap.

> Oh, and the script arguments should be qualified with a "qscan." prefix.

I assume you mean just in the docs, which I did update.  In ipidseq and qscan
I do like this to handle args (I don't know what others do):

for _, k in ipairs({"qscan.confidence", "confidence"}) do
        if nmap.registry.args[k] then
                conf = tonumber(nmap.registry.args[k])
                break
        end
end

> David Fifield

Cheers,
Kris Katterjohn

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIcBAEBAgAGBQJLpnytAAoJEEQxgFs5kUfuQzwP/1nKET1QpGHX0JMZTMTkDsUw
gCFH+m354swOmtvnVyrEoliEkE7hBeFzQSq78sxOOxXd/Y2Bg4wfucHOjn8NO28h
lS9JSJo6rLvmhWUDSWWjb/etqnHK4Nfv0RlbafiAPfRRhYe/q1d0KIkfp6EkVNMM
QLf7HQ4QqVcIdsvnMFj/KMqa00uX/rJ7KWrA5WbbsH1dFkdqEA9lWp2pgMivojdO
G3v526+RYWQjaycj9r9/xBDsgILVF6Qm+JEDiaBRNbGAjTmSvwiO9p6fKfHkQXNC
87Z8p1PpfpBsYbZIZODE7of3evRGS8LzvLDIJIMcEmQMyKHE/YmQ+rKdJZR6L4BE
OY1qkbD4y0m33YY9tLNgHIkbSeraBxDOMA2keQbRQIusV5Rh55kC8JTvQ3mDrP99
gyCOJR/+4YY7aZqEZnf8M23tRWrciaZjSunfYiSSf0yvFfI4aqvAWG16+Zaj1qlk
PDYfIL2QuuA2zrImcmfgD52Rpr32T87kxh51Bywk7CkpWENIsCrEiNy5BqV+WwUY
IaR2eyec+Iz/cIluRs8QGym+c/OQo00vp1I/OfYFhJwrROhltsFMtPEOKUi+Fv9X
HLi6JaByQXKEwvX3WL2mjlEaHcC4t9RDJy4YAdQ9BcdNgBhtK+HpjziJFLZPe32o
pOXX+c0uqi2bxWhPs27m
=o1D/
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/