Nmap Development mailing list archives

Re: Script force

From: Martin Holst Swende <martin () swende se>
Date: Wed, 07 Dec 2011 09:18:43 +0100

Hi,

On 12/04/2011 10:00 AM, Patrick Donnelly wrote:

With that said, I have a suggestion. The '+' should be a prefix to a
pattern. It should not be a prefix to a filename, category, or boolean
expression. It should change the meaning of the entire expression:
"any script chosen as a result of this expression is forced to run".
So, you might have: --script '+not intrusive and not discovery'. This
would mean, "forcibly run all scripts that are not in the intrusive
and not in the discovery categories". [As an aside with respect to the
implementation: note that most script filenames are usually matched
and loaded via the Entry function. The code that runs after this
comment "-- Now load any scripts listed by name rather than by
category." loads files and directories that are not found in the
script database (the script database is a series of calls to the Entry
function). For example, that fallback code would load scripts
specified by "my-scripts/foo.nse" or a directory "my-scripts".

With that changed, I think the patch would be much nicer. However...


I agree with your reasoning here, but perhaps I misread you a bit. I think
the '+' should be a prefix to an expression. An expression can be, as
you said:
+not instrusive safe ==> +(not intrusive and safe)
but also:
+http-*    => +(http-*)

Several expressions can be divided up with commas. An expression could
be a single filename, a filename-wildcard, a category or a boolean
expression containing these things. Example with two expressions on the
command-line:

+safe and http-*,+http-title => +(default and http-*), +(http-verb-tamper)
=> "Ignore the return value of the portrule for any script selected
matching (safe and http-*) and any script matching (http-verb-tamper),
unless already loaded"


That would make strange corner cases go away:
(not +http-title) => errror, no + allowed inside expression, + only
allowed at the left side of an expression.

I think this would be a better approach than the current implementation,
since it would still allow the same common syntaxes but would disallow
the weirdness that comes from of mixing + inside expressions.

How does this sound? Is this is the ballpark of what you proposed?
Regards,
/Martin


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Re: Script force, (continued)
- - - Re: Script force Fyodor (Nov 30)
    - Re: Script force Djalal Harouni (Dec 01)
    - Re: Script force Martin Holst Swende (Dec 03)
    - Re: Script force Patrick Donnelly (Dec 04)
    - Re: Script force - Named probes Djalal Harouni (Dec 04)
    - Re: Script force - Named probes Martin Holst Swende (Dec 04)
    - Re: Script force - Named probes Djalal Harouni (Dec 04)
    - Re: Script force - Named probes Patrick Donnelly (Dec 15)
    - Re: Script force - Named probes Martin Holst Swende (Dec 16)
    - Re: Script force - Named probes Djalal Harouni (Dec 18)
    - Re: Script force Martin Holst Swende (Dec 07)
    - Re: Script force Patrick Donnelly (Dec 07)
    - Re: Script force Martin Holst Swende (Dec 07)
    - Re: Script force Martin Holst Swende (Dec 07)
    - Re: Script force Martin Holst Swende (Dec 11)
    - Re: Script force Djalal Harouni (Dec 11)
    - Re: Script force Martin Holst Swende (Dec 13)
    - Re: Script force Patrik Karlsson (Dec 16)
    - Re: Script force Fyodor (Dec 19)
    - Re: script category selection bug - was: Script force Djalal Harouni (Dec 05)
    - Re: script category selection bug - was: Script force Patrick Donnelly (Dec 05)

(Thread continues...)