Re: [NSE] Prerule considerations and concerns

[Djalal Harouni <tixxdz () gmail com>]

On 2010-10-16 15:24:21 -0700, Fyodor wrote:
> On Sat, Oct 16, 2010 at 10:32:09AM -0500, Tom Sellers wrote:
> > Here are my concerns with the current behavior:
> >
> > 1.  In most cases the results have no relevance to my target.  The
> > current scripts broadcast looking for certain data, and that
> > functionality is handy as hell, but it doesn't have any bearing on
> > my target 4 hops away.
>
> Hi Tom, you make some good points.  A related example is the scan
> "nmap -A scanme.nmap.org".  It ends up doing a pre-scan script with 5
> scripts, when none of that functionality is really desired for that
> scan.  The biggest problem is the time and bandwidth used for the
> undesired functionality, but it also bloats the Nmap output with some
> extra text:
>
> NSE: Script Pre-scanning.
> NSE: Starting runlevel 1 (of 1) scan.
> Initiating NSE at 15:01
> Completed NSE at 15:01, 5.00s elapsed
>
> The five scripts which are running by default are:
>
> snmp-interfaces
> dns-zone-transfer
> upnp-info
> ms-sql-info
> dns-service-discovery
>
> Let's start with the first two, as those are simpler to resolve.
> These don't actually function as prerules unless you pass in special
> NSE arguments (snmp-interfaces and dnszonetransfer, respectively).
> The only "problem" they can cause is Nmap having to do the prerule
> action phase and print out the extra information.  It would probably
> be better for these to check for the required arguments in the
> prerule() itself rather than in the action.
Yes doing the check for the required arguments in the prerule/postrule
script functions is fine. Attached is a patch for dns-zone-transfer to
move the checks into the rule functions. I've also moved the portrule
checks.

For the extra texts:
"NSE: Script Pre-scanning.",
"NSE: Script scanning 127.0.0.1"
"NSE: Script Post-scanning."

These messages can be removed easily: we do not print them if all
script rules evaluate to false (no threads). A simple patch is attached
to remove the two "Pre-scanning" and "Post-scanning" messages.


For this:
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 15:01
Completed NSE at 15:01, 5.00s elapsed

If we do the script argument check in the prerule/postrule and if we add
a new category for the broadcast stuff then this text will not be printed.

-- 
tixxdz

Attachment: dns-zone-transfer_move_args.diff
Description:

Attachment: pre-post-scan_debug_msg.diff
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/