Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [RFC] NSE Re-categorization
From: jah <jah () zadkiel plus com>
Date: Fri, 13 Jun 2008 01:07:10 +0100

On 12/06/2008 23:07, Kris Katterjohn wrote:
I think "safe" and "intrusive" should be mutually-exclusive, together
all-encompassing categories.  All scripts should fit into one of these.
That's not to say that every script should absolutely have one of
these listed
in its categories{}, but if a script doesn't fall into a more specific
category, it will fit in here.  If a script isn't safe, I think it's
intrusive, and vice versa.  This isn't really changing anything, but
it may
give a different viewpoint on these categories.
The current definition of safe as per
http://nmap.org/book/nse-usage.html#nse-categories is:
"Scripts which weren't designed to crash services, use large amounts of
network bandwidth or other resources, or exploit security holes..."
The definition of intrusive:
"These are not intended to crash or damage anything, but are more likely
to leave suspicious logs or otherwise arouse sysadmin ire..."

So I think that either intrusive should include scripts that are
intended to crash services (all in the name of securing ones own
network, of course) or perhaps there should be a category for "exploits"
to include scripts that actively exploit vulnerabilities and could crash
a service or cause an sysadmin alarm - even if the intention is merely
to detect a vulnerability.
I think "backdoor" should be merged into "malware".  There's no point in
having two basically synonymous categories.
Aye to that.
I initially thought that the "discovery" category should be dropped. 
Is there
an NSE script which isn't really discovering something?  But Brandon
pointed
out that it could just be renamed, and that the name could convey
something
along the lines of "extra information".  I can't really think of a
good name
for it, however.
Perhaps "Informational"?
How about a new "credential" (or "login") category?  This can be used
for NSE
scripts which attempt a login, such as anonFTP, bruteTelnet, and HTTPAuth.

So here would be the current list of categories:

Default
Version
Safe
Intrusive
Vulnerability
Malware
Credential
<renamed Discovery>

The first two don't really count because "default" is more of a
sub-category,
and "version" is a necessity for some scripts.  So not counting those,
that
gives us 6 categories, which is a good place to be.

So, how am I doing?  Do you have complaints about some of the current
categories?  Do you have any ideas for other new categories?
It looks good.  Using Informational and adding Exploits, you even get a
handy Mnemonic: VICED VIMS (from latin: Grasp with Vigour).


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]