Re: NSE console script help

[Kris Katterjohn <katterjohn () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/18/2011 08:24 PM, Fyodor wrote:
> Well, the way I see it, there are four main script help selection
> possibilities:
>
> 1) Print the script help info for all scripts known by Nmap
>
> 2) Print the info for all scripts selected (by a specifier, like
>    "default" or "safe" or "broadcast" or "asn-query" or whatever).  In
>    this case, you can get behavior #1 by specifying "all".
>
> 3) Print just the scripts which pass their rule (portrule, hostrule,
>    prerule, or postrule) and thus would be (or are) actually run by Nmap.
>
> 4) Print just the help for the scripts which actually produced output.
>    That way users don't end up with output from scripts they don't
>    really understand.
[...]
> One question is how much work you want Nmap to do when you ask for
> help.  With #1 and #2, you could either print the information
> immediately and then stop, or you could let the scan continue.  The
> advantage of stopping is that it lets people see their script options
> before committing to running them.  I suppose the advantages of
> continuing are that it puts the information there in the Nmap report
> along with the results (avoids running Nmap twice), and (more
> importantly) might be more consistent if we also offer #3 and #4.
>
> For #3, Nmap needs to do its port scanning, OS detection, version
> detection, and run at least the script portrules.  For #4, Nmap needs
> to completely execute.  So if we want to support these, it pretty much
> dictates an interface which runs the scan AND produces help.
[...]
> It is worth noting that each one is a superset of the higher-numbered
> options.  So #2 contains all the scripts (and possibly more) in #3,
> and so on.

I've been busy lately and I don't currently have the time to think about the
best way to specify the option (--script-help, etc); however, I do want to at
least throw my opinion in for which help types I prefer.

I don't currently see a reason to not just print the help and stop (or at
least I don't want to be forced to have Nmap run the scan just to see the help
information).  I mean, why would I want help info in my output when I'm
already running the scan I wanted help with?  I guess I can see some use for
that, but I think printing the help and stopping should be the default behavior.

In the case that the scan runs and help is printed, I think #4 is good.

Overall, I currently like #2 the best (and specifying "all" for the behavior
for #1).  So I think #2 should be default, and #4 should be the behavior if
there's going to be an option to run the scan and print the help together.

> Cheers,
> Fyodor

Cheers,
Kris Katterjohn

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNNk9ZAAoJEEQxgFs5kUfuv30P+QGU8Ucr6eLhFRuOvHutFHqq
pHzuNHcH8d85i130Hb/3gZoUVUzCZLu+nxB9WennzlTrwDSGuR9fFi/I7Ov207gf
hRu1Zrik/n83t+1rLTOLJ2mU6ONR6EyP1LRXCs+wUuHnOt2ziAvUqKmsC/qVth9q
qBcQB0TlonasZpW/4PojRuxc7NuHDcAPtxZQ/Q+WNZEx3Z7g1QU3BgBrN17U1Z14
dumeD3b8hE/D8AZwhyIKddwzupsrEk3evbl1hCpdj+uHYt2MlnBKi6KuUZ4lTL5c
GrFXxpZ257NfEEJQ2/PXhzCa198lbhNS6UP7pKjn/uL3+JUPMLAf4pGHJn+EY12/
BrU0iWg5qo+t9Po2QZtwu94BmXiqGP9B9ENVUFJtH22ToHAID7O3bX7fTwknSeyN
i2d0y/s8wZR1hWwxEuVZCQ7aJOnGQN0XCH5S8eNDDSFRb2abLn0cSUSYRXVCqQbx
/GJ/tvYk3+33vepxfxH9iVlTvmBc/y5B1OvZxKdVNuOI1IFNc4pdDn5XZxJi9PK1
Aa14FxNPFdFlKqsJiw6QQDQYTYQFi4nXC3yl8VrEnDE9aFQd6cgrLPglnKbBDJoE
lhKV82GhuB1m1jj1X4vLOzt2Kw1TpLXJUnp4GLtW06B3dxPEya8WdLLzKAaLA2r3
fG0CYW4qz43yd4w6mIMr
=IU8o
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/