Re: [RFC] Improve NSE HTTP architecture.

[Patrick Donnelly <batrick () batbytes com>]

On Sun, Jun 19, 2011 at 4:09 PM, Djalal Harouni <tixxdz () opendz org> wrote:
> On Thu, Jun 16, 2011 at 05:17:50PM -0700, Fyodor wrote:
> > That would be easy to add, but I worry about what scripts would do
> > with the information.  For example, suppose we have http-enum do vuln
> > checks if the 'vuln' category was selected.  Well, then what if the
> > user just specified script names specifically (which may or may not be
> > in vuln category)?  What if user specified --script=all?  Maybe rather
> > than try to reimplement the category selection functionality, the
> > script(s) could be made to work with it.  For example, if the shared
> > work is done in a library anyway, maybe you could have a small
> > http-enum-vuln script which users could enable by name or category or
> > whatever.
> Yes another small script like http-enum-vuln, that will load 'vuln' or
> 'exploit' fingerprints or matches is a good solution, this way we avoid
> the one-script-per-vuln, especially if that check is only 5 Lua
> instructions. And loading fingerprints based on their categories should
> be done by a library code.
> So I'll say: a script that will load the 'intrusive', 'exploit', 'dos"
> and 'vuln' fingerprints and matches, can be a popular script.
>
> My main point on this is to use the same NSE categories, and not extra
> categories like 'attack', etc.
> The 'app' field in the fingerprint table can be used to identify the
> application type.

How about having each fingerprint get a single category. Then you can
organize the fingerprints into separate http-fingerprint-<category>
scripts:

http-fingerprint-intrusive
http-fingerprint-discovery
http-fingerprint-vuln

-- 
- Patrick Donnelly
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/