Suggestion syntax (was:Script suggestions, take #3)

[Martin Holst Swende <martin () swende se>]

Hi list,
Changing the topic, let's ignore the under-the-hood stuff for now.

I'd like to get feedback on the proposed syntax for script-suggest.
Right now,
we have two different versions.
1. --script-suggest <rules> and -sCS working in parallell with and
identical to --script <rules> and -sC
2. --script <rules>,$<rules>  , where $ (or whatever character we
choose) is a flag meaning "use this rule for suggestions", similar to
the force-flag.

Currently, [1] is implemented (based on discussions in
http://seclists.org/nmap-dev/2011/q4/389) and involved quite a lot of
changes here and there. [2] is not implemented, but would mean less
overall changes in the nmap framework. My personal preference is [1],
Patrick leans towards [2]. David, Fyodor, Patrik, Duarte?

Some examples and discussions below:

On 02/07/2012 10:38 PM, Patrick Donnelly wrote:
> > Below are some usecases. Let's say we use the $-char for the
> > > suggestions, I'll outline possible syntaxes:
> > >
> > > #Typical scan with defaults, but show me what more I can do:
> > > Current #1: nmap target <ports> -sV -sC -sCS
> > > Current #2: nmap target <ports> -sV --script default --script-suggest all
> I assume Current #1 and #2 are supposed to be equivalent.
>
> > > Flagmode  : nmap target <ports> -sV --script default,$all
> Yes, this is what I would expect.
>
> > > From a user syntax PoV, I would prefer keeping them separate. The -sCS
> > > or e.g. --script-suggest <rule> can always
> > > be appended to any scan syntax very easily. I also suspect that a
> > > suggest-flag is even more difficult for a user to
> > > understand and use than the force-flag. I can go either way depending on
> > > what people think.
> I don't really agree. I think the prefix is about as accessible and
> probably more visible. The user will look at the --script
> documentation and see suggestions are available by prepending a prefix
> to a rule.
>
> [1] http://seclists.org/nmap-dev/2011/q4/426 [Specifically:
>
> "o --script is used for choosing which scripts may run. I'm concerned
> that the purpose will become convoluted because not only is the user
> now choosing which scripts are allowed to run, the user is also
> choosing which scripts *will* run. I feel like changing the meaning of
> --script will only explode with the addition of other useful features
> into something terribly difficult to manage and, most importantly,
> difficult to explain to users."
>
> ]

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/