Re: [NSE] New Script Version scan phase for versionrule scripts

[David Fifield <david () bamsoftware com>]

On Sat, Sep 11, 2010 at 12:21:02AM +0100, Djalal Harouni wrote:
> On 2010-08-21 21:20:06 +0100, Djalal Harouni wrote:
> > A patch is attached to introduce a new rule 'versionrule' which will be
> > used by version category scripts. The patch is against nmap trunk.
>
> A new patch that introduces the new Script Version scan phase
> (NSE_VERSION_SCAN) before the Script scan phase (NSE_SCAN) is attached.
>
> Scripts will run during this Script Version scan phase if they have a
> versionrule and if the -sV option was given and if the pair
> port/protocol are not in the exclude directive.
>
> Note: running a script with --script=version will activate the portrule
> rather than the versionrule.
>
>
> But there is a *minor* issue, and I need more feedbacks on it:
> * If we have a script which have multiple rules (portrule and
>   versionrule), then this script can run *twice* for the same port, one
>   for the versionrule and the other one for the portrule.

As I see it, there are two issues. The first is what you have mentioned,
that a script with both a versionrule and a portrule or hostrule will
run twice in two separate phases, where currently "version" category
scripts run just once, in the main scan phase.

The second issue is that by splitting versionrule scripts into their own
scan phase, we lose some amount of parallelism. Currently -sV -sC runs
all version-detection and other scripts in parallel. The proposal would
split this into two phases regardless of how many scripts are in each
phase.

In a way, the second issue makes sense, in that we expect normal -sV
version detection to be completely finished before we start script
scanning. versionrule scripts should arguably behave the same way.

On the other hand, it is a little bit like running portrule and hostrule
scripts in different phases--if there's no reason for it, all it does is
take longer. Of course, it would be possible to keep the versionrule
notion and run all three of versionrule, portrule, and hostrule in the
NSE_SCAN phase.

I'm willing to consider a separate NSE_VERSION_SCAN phase, but first we
should see some test results to see how it compares against the current
solution. I'm thinking of a test running 100 instances of
skypev2-version and html-title and comparing times. Maybe the time
difference won't be great, and then there's no problem. But we should
know before making this change.

As for splitting out a separate versionrule (without considering a
separate scan phase), that's fine but I don't see what advantages it
offers. In every case I can think of (and every case in the patch), the
versionrule is identical to the portrule. There might as well be a
version_flag variable, which is what we have now with the "version"
category. In fact now that I think about it, a separate versionrule only
makes sense if there is separate NSE_VERSION_SCAN phase.

If you believe this should be merged, please create some tests like I
described above and measure the performance impact of a separate
NSE_VERSION_SCAN phase.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/