Nmap Development mailing list archives
Re: [NSE] New Script Version scan phase for versionrule scripts
From: David Fifield <david () bamsoftware com>
Date: Mon, 27 Sep 2010 14:12:43 -0600
On Sat, Sep 11, 2010 at 12:21:02AM +0100, Djalal Harouni wrote:
On 2010-08-21 21:20:06 +0100, Djalal Harouni wrote:A patch is attached to introduce a new rule 'versionrule' which will be used by version category scripts. The patch is against nmap trunk.A new patch that introduces the new Script Version scan phase (NSE_VERSION_SCAN) before the Script scan phase (NSE_SCAN) is attached. Scripts will run during this Script Version scan phase if they have a versionrule and if the -sV option was given and if the pair port/protocol are not in the exclude directive. Note: running a script with --script=version will activate the portrule rather than the versionrule. But there is a *minor* issue, and I need more feedbacks on it: * If we have a script which have multiple rules (portrule and versionrule), then this script can run *twice* for the same port, one for the versionrule and the other one for the portrule.
As I see it, there are two issues. The first is what you have mentioned, that a script with both a versionrule and a portrule or hostrule will run twice in two separate phases, where currently "version" category scripts run just once, in the main scan phase. The second issue is that by splitting versionrule scripts into their own scan phase, we lose some amount of parallelism. Currently -sV -sC runs all version-detection and other scripts in parallel. The proposal would split this into two phases regardless of how many scripts are in each phase. In a way, the second issue makes sense, in that we expect normal -sV version detection to be completely finished before we start script scanning. versionrule scripts should arguably behave the same way. On the other hand, it is a little bit like running portrule and hostrule scripts in different phases--if there's no reason for it, all it does is take longer. Of course, it would be possible to keep the versionrule notion and run all three of versionrule, portrule, and hostrule in the NSE_SCAN phase. I'm willing to consider a separate NSE_VERSION_SCAN phase, but first we should see some test results to see how it compares against the current solution. I'm thinking of a test running 100 instances of skypev2-version and html-title and comparing times. Maybe the time difference won't be great, and then there's no problem. But we should know before making this change. As for splitting out a separate versionrule (without considering a separate scan phase), that's fine but I don't see what advantages it offers. In every case I can think of (and every case in the patch), the versionrule is identical to the portrule. There might as well be a version_flag variable, which is what we have now with the "version" category. In fact now that I think about it, a separate versionrule only makes sense if there is separate NSE_VERSION_SCAN phase. If you believe this should be merged, please create some tests like I described above and measure the performance impact of a separate NSE_VERSION_SCAN phase. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] New versionrule for version category scripts Djalal Harouni (Aug 21)
- Re: [NSE] New Script Version scan phase for versionrule scripts Djalal Harouni (Sep 10)
- Re: [NSE] New Script Version scan phase for versionrule scripts David Fifield (Sep 27)
- Re: [NSE] New Script Version scan phase for versionrule scripts Djalal Harouni (Sep 10)