Re: "sniffer" category

[Patrik Karlsson <patrik () cqure net>]

On Wed, Nov 9, 2011 at 12:01 AM, David Fifield <david () bamsoftware com>wrote:

> On Tue, Nov 08, 2011 at 09:43:30PM +0000, Luis MartinGarcia. wrote:
> > On 11/08/2011 08:27 PM, David Fifield wrote:
> > > On Tue, Nov 08, 2011 at 05:23:52PM +0100, Patrik Karlsson wrote:
> > > > I'll check the broadcast-listener script for this as well. In regards
> to
> > > > these sniffing scripts I would like to create the "sniffer" category
> and
> > > > place them in there, rather than in the broadcast category as we've
> > > > discussed earlier.
> > > >
> > > > I guess that the new category needs to be documented somewhere in
> addition
> > > > to changing the category in the scripts? Where would that place be,
> and is
> > > > "sniffer" the category name to go with?
> > > Is "sniffer" really what we want to express? It seems to me what people
> > > want is a category for "scripts that run on the whole network with a
> > > fixed delay that I don't care about when I'm just scanning a few
> hosts."
> > > I think that people use "broadcast" with that meaning now, mostly in
> the
> > > form "and not broadcast". So "broadcast" might not be the right name
> for
> > > the category, but breaking out a separate "sniffer" is just going to
> > > make people change to "and not broadcast and not sniffer".
> >
> > I'm not entirely familiar with the current status of NSE scripts but, in
> > my opinion, it'd be good idea to group all those scripts that gather
> > information passively by capturing incoming packets. However, I'd name
> > the category "passive", not "sniffer". I think "passive" scripts can be
> > quite useful in penetration testing when one does not want to inject
> > packets into the network. We could perhaps define the "active" alias as
> > "all and not passive". Does this make sense?
>
> "passive" is not a good name. Some of these scripts do in fact send
> traffic (broadcast-dns-service-discovery is an example). What makes
> these scripts different is that they do not target the hosts you give on
> the command line. When I scan scanme.nmap.org with --script=safe, I
> don't want a bunch of scripts telling me about things on my local
> network. I really think that's what this is about, not
> unicast/broadcast, sniffer, or active/passive. If the "broadcast" name
> really bothers people, can we think of a name that reflects what this
> category is actually used for?
>
> David Fifield

Well, I think the broadcast name is good for the category of scripts that
actually do send broadcast and multicast traffic.
However, there are at least two broadcast-listener and targets-sniffer that
are passive as they don't send any data.
These are the ones I was thinking moving to a new category, as they differ
from the rest of the broadcast scripts.
But, maybe we should wait until we get more of them until we do, I don't
know ....

-- 
Patrik Karlsson
http://www.cqure.net
http://twitter.com/nevdull77
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/