Re: [NSE] malicious-ip script

[Djalal Harouni <tixxdz () opendz org>]

On Thu, Jul 14, 2011 at 01:32:06PM +0100, Hani Benhabiles wrote:
> Could anyone look at these ? Thanks !
Hi Hani, thanks for the scripts.

First you should read Fyodor answer [1].

As Paulino noted these IP lists or databases are short, and these kind
of scripts are much more helpful to Nmap users if they can detect wide
spread viruses. As an example the zeustracker abuse page [2] says that
currently there are 707 tracked servers, which is a small number fo us
(to be included in Nmap). And of course we must also check if the license
of the service is compatible with Nmap or have some restrictions etc.

IMHO If you are using the same webservice then it would be better if you
have a combined script, but please wait and see if Fyodor or David have
other suggestions about this, and if you think that any change is an
*improvement* then go ahead, don't wait ;)


After some research I've also found the malwaredomainlist service [3],
perhaps their license is not retrictive and if their database is big
enough then we can give it a try (just a suggestion).


In the same context these are some random ideas:
o Another idea would be to write dnsbl-service-spam or
  dnsbl-service-malware scripts if we are able to find a service with a
  non-restrictive license.

  zen.spamhaus.org
  http://www.spamhaus.org/organization/dnsblusage.html

  cbl.abuseat.org
  http://cbl.abuseat.org/  (perhaps we are not allowed to use this)
  
  There are a lot dnsbl services, perhaps we can find a good service.
  Finally I think that Nmap could also help to fight spam :)


o A script that will check if the current scanned host/network is in a
  LAN, if so then it will check an external (free) service to get the
  external IP addresses. The script will save this info in a table in
  the registry, in order to be used by these malware scripts to check
  if the previous public IPs are blacklisted or whatever. I think that
  this will be really useful for large coroporated networks when scans
  are done from inside.

  Of course the script must check the table before the external service
  to see if the public IP is already there.

  Perhaps there are other useful tricks that we can do with a script
  like this: combine/compare IP addresses with traceroute results etc.


Currently these are just some random ideas, I'll add them later to the
Secwiki Script Ideas page [4] in the "Incoming" section, and if they
move to the "Solid Candidates" section, then any good submitted script
will be committed.

Thanks.

[1] http://seclists.org/nmap-dev/2011/q3/103
[2] https://zeustracker.abuse.ch/
[3] http://www.malwaredomainlist.com/mdl.php
[4] https://secwiki.org/w/Nmap/Script_Ideas

-- 
tixxdz
http://opendz.org
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/