Re: [BUG] Exclusions directive not honored by NSE version detection

[Kris Katterjohn <katterjohn () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 17 Jun 2010 20:29:20 +0100
Djalal Harouni <tixxdz () gmail com> wrote:

> On 2010-06-17 13:39:17 -0500, Kris Katterjohn wrote:
> > And while I agree that modifying the existing shortport functions
> > like portnumber() is not the way to go, I think creating a new
> > function or option (or whatever) for exclusion support is a good
> > thing if it's not really ugly or hacky.  Perhaps you've thought
> > about this and came up with no good solution?  I haven't given
> > thought to how to go about it yet, but I think having this would be
> > good for version scripts for all of the reasons shortport exists
> > already for everything else.
> Well, to clarify this was discussed in nse meetings and with Patrick,
> perhaps the current solution is not perfect so we'll discuss this
> again and any help would be welcome.

I don't know what all has been discussed in the NSE meetings pertaining
to this problem, but why was it decided to use scripts and libraries to
handle this sort of thing?  I see Fyodor's comments[1] stating he
prefers this way, but while I agree other scripts could potentially
find this data useful, it seems like this may be the wrong way to go
when Version scripts seem to be treated very specially anyway.

By this I mean, what was discussed on having NSE examine the exclude
list before checking portrules?  I have never had a grasp on the inner
workings of NSE, but couldn't it just not pass the excluded ports to
scripts in the version category?  Then the --allports option can be
used to change this just like for service detection.

Your new functions for passing the actual list of excluded ports can
still be made available for any future scripts which may want to use
them as Fyodor mentions.  But since version scripts are treated
differently, and the exclude list currently only pertains to version
detection (it's in the probes file), I don't think many non-version
scripts will care about it--and if they do then redoing the exclude
list to be placed elsewhere and possibly meaning "unwritable" instead
may be more useful for any other future enhancements or new features
which will care about this directive.

Just thinking :)  Maybe this was all discussed all ready.

> Thx for your comments.

Cheers,
Kris Katterjohn

[1] http://seclists.org/nmap-dev/2010/q2/604

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJMGqShAAoJEEQxgFs5kUfu2GgP/3DqlrVZLS3uOu2GNR3/iD5v
X6rn//vysIRDB89spfL0WEI7+OFFVJ7oLbbuqRRjNsEunvQJEwn2DmL3zyHHUbPX
TEMb5OBwvA1N+RR+aa1a51gw2fjoENE7hlX5CeDCy27Axo+b6LlWx3K0P7VmOkYF
qEX3P5xp8f6HeCbbMGvOg/H0rpd1jpa24tbuDfLLBwjUUJ8oaCC00yBCl0ATuK5Q
Z85OboP5jYw+ZRGapFb+LiTGX4zdetbkZYfWVNzcw5utwDLld/e92Lqww1Eocc0K
PFbi7zIi4kNn643B0Th9gAPSa++ypnTQKVFCOFsBvt6SJWoFBpOf5mZ2KQZ4H1Ea
SxPEJnhrWcIkVCHDD9jd/VJMcyOmcEWqsORw0khA8aQ2YmRHs1JOch3Z9MNnyUSq
1X+S2PEU+2VJXMSiOasC7/nBKCd0AIQPRbHBhKRoi7ycsQ/BbFwCplY5LrchHZY+
kHYeM63Bt12lEVVXlTy3EQ6EhL+e/uayUuqssY7HcQoWxp1PbqY9Qv74U8l6VPH3
/QpQN9n5VP65I55h0MHtHZ7NnnhkcJo9n64F9zL56VOnUr3S1txfn3G13m04//aX
whA1KXJwXvco/z5ASJp1OUXLxQaBh+Ytnuisv0N2pa3p9CKgLwdsSNuTEQBLRTjG
kOMJ1sySLz8KgcIHUHwn
=4AwI
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/