Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [RFC] NSE Re-categorization
From: Kris Katterjohn <katterjohn () gmail com>
Date: Wed, 18 Jun 2008 17:22:45 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

DePriest, Jason R. wrote:
What might be nice is a hierarchy to show which safer tests are
subsets of more "dangerous" or at least more involved tests.

Something like this:


                                /-> malware->\
                               /              \
safe --> discovery --> version --> vuln ----->|-> intrusive
                               \              /
                                \-> auth --->/

with demo and default on their own

A script like netbios-smb-os-discovery.nse does a lot of work.  It's
almost intrusive, but probably just a discovery.

The diagram helps me figure out where it should go and "version" seems
fine in that context since it does more than a simple discovery and
you don't want to run it without asking for version detection.


Interesting!

I also don't understand the benefit of having a script that is
"intrusive" also be a "discovery" scan.  If it is "intrusive" then I
don't want it running if I am only asking for "discovery."

They should be either "discovery" and relatively benign or "intrusive"
and used with intent.

Explain the logic between having a script in both categories.  Maybe I
just don't "get it."


This is a good point; however, Fyodor mentioned to me that more expressiveness
could be added to script selection, which will alleviate this.

I personally don't see a problem with a script being in Discovery and
Intrusive.  Take zoneTrans for example: it certainly has the "discovery"
aspect to it, but it's also a bit "intrusive".  The intrusiveness in this
respect isn't saying "this script is malicious", just that "this script goes a
bit further than some administrators might like."

However, there is currently no way to say "I want a Discovery script that is
not Intrusive," which, as you mentioned, can pose a problem in situations.

Another threat-level category could be added for scripts that are "used with
intent," but that could easily get confusing.

Opinions anyone?

-Jason

Thanks,
Kris Katterjohn


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIVAwUBSFmKtP9K37xXYl36AQIvYg/+LucN0iBZydu7+PhGD3tkD9ANGfUq/I5z
K1q+uNrjkHf0E/dLeLvnXh189GPLyBjVP58zOJ3vMs8B8l2mIHhg9NPoyMz5oo/i
MFkIDe9bVYy9hYd2PAz8FXu1WQv6AI9jtw77E9kFXquGVUY1wYs3GJ+pJs2doev9
pH2Fr800DY9+uWQ1gSwMXHm32EBZvJHbaGLBPjXue4064uY9tSF80PQ0kapsY+rY
puA1EDQ2dthImEq52cU0NnizpKGwTQ2VHFJT2hO12V2RlYSKGAhMeUenOG6dbAmR
sTRUx9wKj4om7kNbaY7fiDQ6SIMpe9Aei7v2ktbjg5uAY1gSrHQb2fKUxffm9FXE
1DdWJxuoV+Dtqkn35WBkTaS3DGQgo9jVtzPhp2HPylHwGxAwVStiKsQkp6ShE7eG
y2WkpRF8zTn2jT2ZVK/M+ZEuNr4bSPZ39NVPp7DIE1nbjEwikRUEsFR4z6zAq/cX
4ZqAbBxoXOLjBtM4KrnXQ9+OGPsvFkzEYRXfjqYqxsB0umvX5iGz/WETbFF0ZU68
SHqlxHZUd/adR2eDhdvx4bnBqkHEFfFTjGat69S1MSK4vjPRQ+U+iHwef687Vb3W
6+42dEF1uA7IK9ipaI+Lshky1Zny/qdNHTHhyEcgMICZ6iszCpBAo7zmNWgpbb8I
UOuuLEoUfi4=
=7JsC
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]