Home page logo
/

nmap-dev logo Nmap Development mailing list archives

RE: Enhanced Version of HTTPtrace.nse
From: "Rob Nicholls" <robert () everythingeverything co uk>
Date: Fri, 14 Dec 2007 00:28:16 -0000

Thanks for the advice! This is the first time I've touched NSE scripts so
I'm not too familiar with all of the things I can do yet (i.e. I didn't
realise I could tailor the output based on the verbosity).

It makes total sense to detect the verbosity/debugging level in NSE scripts,
especially ones that can produce lengthy outputs. I'll see about modifying
it to use the functions you've mentioned. I suspect I'll display when TRACE
is enabled by default (similar to how SSLv2 support is displayed), add the
inconclusive messages when using -vv (hopefully this won't be seen that
often, especially if I can eventually get the script to follow redirects and
perform TRACE against files that exist so we can give a more accurate
response), and return everything when verbosity is higher than 2 (even I
don't usually bother going above 2), unless anyone has any better ideas?
I'll also see about using debugging to show additional information, such as
the first line of the returned header, if people set it high enough. I did
consider adding support to check for other verbs like TRACK or DEBUG, but
that would probably mean renaming the script too (this was only meant to be
a very simple modification to your script, but I got carried away) ;)

I've seen so many automated tools give false positives for TRACE based on
OPTIONS, and I use nmap all the time, so I thought it would be nice if I
could combine the two and save myself some manual analysis.


Rob


-----Original Message-----
From: Kris Katterjohn [mailto:katterjohn () gmail com] 
Sent: 13 December 2007 23:44
To: Rob Nicholls
Cc: nmap-dev () insecure org
Subject: Re: Enhanced Version of HTTPtrace.nse

<snip>

Printing that it is enabled but nothing changed is something that I 
would consider if -v or -d is set (nmap.verbosity or nmap.debugging) 
since that is something that can be useful at times.  However, printing 
that it's not enabled is too much output IMO, and I'm pretty sure Fyodor 
will agree.

<snip>


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]