[NSE] Prerule considerations and concerns

[Tom Sellers <nmap () fadedcode net>]

 All,

    I have some concerns about some of the prerule (and possibly 
postrule) scripts. To explain
my concerns let me outline my process.

In my scenario I have a list of hosts and code that launches a nmap 
instance to scan each. The
scan configuration may vary, depending on which script is invoked.  The 
results for each host
are being generated in each of nmap's output types and placed in a 
directory.

Using the SVN build of nmap, when I run scans the prerule scripts are 
triggering and broadcasting
requests to the local network.  These results are included in the output 
for each of my hosts.
For production purposes I may scan 4k hosts at a time.  In many of my 
runs I am scanning 100k
hosts at a time.  In some of the Internet surveys I start out with a 
list of 1 million hosts.

For each scan that includes scripting several scripts will run and 
broadcast packets.


Sample command lines:

Simple reproduction:
    nmap -sC                                                    (no 
host specified)

Standard command line:
    nmap -sSUV -A --script "(default or safe) and not qscan"  -O 
-pT:-,U:53,69,137,161,523,1434,1900,2065,2067  --version-all --open  
--excludefile ./lists/excludes_full.txt -R --webxml -oA ./logs/$1 $1 > 
./logs/$1.txt 2> ./logs/$1.err


Here are my concerns with the current behavior:

1.  In most cases the results have no relevance to my target.  The 
current scripts broadcast
     looking for certain data, and that functionality is handy as hell, 
but it doesn't have any
     bearing on my target 4 hops away.

2.  The broadcasts are taking time and using bandwidth when the result 
is not needed.

3.  The results are confusing the output result and taking up storage.  
In the case of fathom
     searches of the XML I will have to avoid searching for data in 
them as it will greatly
     skew the results.

4.  The rainmap project will have to keep the scripts in mind as they 
will expose data about
     the hosts on the subnet of the scanning host to a 3rd party 
requesting the scan.

Current scripts with a prerule:
  db2-discover.nse
  dhcp-discover.nse
  dns-service-discovery.nse
  dns-zone-transfer.nse:
  ms-sql-info.nse
  resolveall.nse
  snmp-interfaces.nse
  upnp-info.nse


Is there currently a way to disable the prerule behavior of NSE scripts?

If there isn't currently a way, can we add functionality to disable the 
prerule ( and possibly
postrule) scans without disabling the whole script?  The ms-sql-info.nse 
script is an example
of where the prerule section is not useful in this scenario, but the 
normal behavior of the
script is desired.

Perhaps command line switch could be used to set a flag that the scripts 
would evaluate in
the prerule section:;

prerule = function()
  if stdnse.allow_prerule then
    return true
  else
    return false
end


I look forward to your thoughts and comments.

Thanks much,
Tom
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/