Re: [NSE] New class of scripts -- New Rule proposal

[Fyodor <fyodor () insecure org>]

On Fri, Jun 25, 2010 at 03:35:02PM -0500, Daniel Miller wrote:
> A way to get around the decision of whether/when to use the netscript's 
> discoveries to automatically add targets, a new -iC option could be 
> added (in the spirit of -iL, -iR), meaning "get targets from 
> netscripts". This avoids surprising someone who was not expecting to 
> scan those new targets, and also allows one to use the same script to 
> simply discover a list of hosts without scanning them.

That is certainly a good point.  We don't want Nmap going off and
expanding the scope of its scans beyond the expectations of its user.
It seems that most scripts which discover IP addresses could either
print those IPs in the results, or add them to the scan. We'd want to
support both.  We will have to think about it more concretely once we
have such scripts, but I imagine that the default will be to print the
IPs, and there will be a special --script-arg (common to all the
scripts which do this) which requests that newly discovered IPs be
added to the target list.

If a certain script arg becomes extremely popular, we can consider
giving it an Nmap option as syntactic sugar.  For example, the -iC you
proposed could be a shortcut for "--script-arg expandtargets" or
whatever.  I think the best order for figuring this out is:

o Add the functionality for scripts to add extra IPs for Nmap to scan.
o When writing such a script (particularly the first one), decide how
  it is most likely to be used, and how to control it with arguments.
o Follow the same model with other scripts unless there is a strong
  reason for divergent behavior.
o At some point we can consider adding short Nmap options for the most
  common script-args.

Cheers,
Fyodor
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/