Re: [BUG] Exclusions directive not honored by NSE version detection

[Djalal Harouni <tixxdz () gmail com>]

A new patch against the latest nmap svn revision is attached.

On 2010-06-17 17:41:37 -0500, Kris Katterjohn wrote:
> I don't know what all has been discussed in the NSE meetings pertaining
> to this problem, but why was it decided to use scripts and libraries to
> handle this sort of thing?  I see Fyodor's comments[1] stating he
> prefers this way, but while I agree other scripts could potentially
> find this data useful, it seems like this may be the wrong way to go
> when Version scripts seem to be treated very specially anyway.
>
> By this I mean, what was discussed on having NSE examine the exclude
> list before checking portrules?  I have never had a grasp on the inner
> workings of NSE, but couldn't it just not pass the excluded ports to
> scripts in the version category?  Then the --allports option can be
> used to change this just like for service detection.
If we do that, this will probably mean that we'll pass and parse the
excluded directive two times, one for Nmap version scan and the other
one for NSE version scan. The excluded ports list is already in memory
stored in the *excludedports* scan_list, and the AllProbes::isExcluded()
will simply check it's argument (port and protocol) if they are in the
*excludedports*, so we don't need to parse them again simply export a NSE
function which will call isExcluded() and returns a boolean to NSE
scripts to let them know if the port/protocol are in the
*excludedports*. The --allports option is also honored by this patch.

The current portrules were not modified, but there is a new *portrule*
function version_port_or_service() which must be used by any script who
wants to check if the current port and protocol are in the excluded
directive.

The shortport.port_is_excluded() function is *not* a portrule function,
this function can also be used by Version scripts which do not use a
shortport function to check if the port.number and port.protocol are
excluded, this function is a wrapper of the nmap.port_is_excluded().
The shortport.port_is_excluded() function has been modified as you have
suggested to take only a one port and a one protocol arguments.

The new portrule function:
portrule = shortport.version_port_or_service(9100)

> Your new functions for passing the actual list of excluded ports can
> still be made available for any future scripts which may want to use
> them as Fyodor mentions.  But since version scripts are treated
> differently, and the exclude list currently only pertains to version
> detection (it's in the probes file), I don't think many non-version
> scripts will care about it--and if they do then redoing the exclude
> list to be placed elsewhere and possibly meaning "unwritable" instead
> may be more useful for any other future enhancements or new features
> which will care about this directive.
The version_port_or_service name seems the most appreciated one,
since this function is used by version detection scripts, but we can
change the name on the future to port_or_service_excluded or something
else.
Note: this portrule function can be called by any script but for the
moment it seems only useful for Version scripts.

Tests are welcome, thx.

-- 
tixxdz

Attachment: nse-exclude.diff
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/