Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: NSE console script help
From: Kris Katterjohn <katterjohn () gmail com>
Date: Tue, 18 Jan 2011 20:41:29 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/18/2011 08:24 PM, Fyodor wrote:
Well, the way I see it, there are four main script help selection
possibilities:

1) Print the script help info for all scripts known by Nmap

2) Print the info for all scripts selected (by a specifier, like
   "default" or "safe" or "broadcast" or "asn-query" or whatever).  In
   this case, you can get behavior #1 by specifying "all".

3) Print just the scripts which pass their rule (portrule, hostrule,
   prerule, or postrule) and thus would be (or are) actually run by Nmap.

4) Print just the help for the scripts which actually produced output.
   That way users don't end up with output from scripts they don't
   really understand.

[...]
One question is how much work you want Nmap to do when you ask for
help.  With #1 and #2, you could either print the information
immediately and then stop, or you could let the scan continue.  The
advantage of stopping is that it lets people see their script options
before committing to running them.  I suppose the advantages of
continuing are that it puts the information there in the Nmap report
along with the results (avoids running Nmap twice), and (more
importantly) might be more consistent if we also offer #3 and #4.

For #3, Nmap needs to do its port scanning, OS detection, version
detection, and run at least the script portrules.  For #4, Nmap needs
to completely execute.  So if we want to support these, it pretty much
dictates an interface which runs the scan AND produces help.

[...]
It is worth noting that each one is a superset of the higher-numbered
options.  So #2 contains all the scripts (and possibly more) in #3,
and so on.


I've been busy lately and I don't currently have the time to think about the
best way to specify the option (--script-help, etc); however, I do want to at
least throw my opinion in for which help types I prefer.

I don't currently see a reason to not just print the help and stop (or at
least I don't want to be forced to have Nmap run the scan just to see the help
information).  I mean, why would I want help info in my output when I'm
already running the scan I wanted help with?  I guess I can see some use for
that, but I think printing the help and stopping should be the default behavior.

In the case that the scan runs and help is printed, I think #4 is good.

Overall, I currently like #2 the best (and specifying "all" for the behavior
for #1).  So I think #2 should be default, and #4 should be the behavior if
there's going to be an option to run the scan and print the help together.

Cheers,
Fyodor

Cheers,
Kris Katterjohn

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNNk9ZAAoJEEQxgFs5kUfuv30P+QGU8Ucr6eLhFRuOvHutFHqq
pHzuNHcH8d85i130Hb/3gZoUVUzCZLu+nxB9WennzlTrwDSGuR9fFi/I7Ov207gf
hRu1Zrik/n83t+1rLTOLJ2mU6ONR6EyP1LRXCs+wUuHnOt2ziAvUqKmsC/qVth9q
qBcQB0TlonasZpW/4PojRuxc7NuHDcAPtxZQ/Q+WNZEx3Z7g1QU3BgBrN17U1Z14
dumeD3b8hE/D8AZwhyIKddwzupsrEk3evbl1hCpdj+uHYt2MlnBKi6KuUZ4lTL5c
GrFXxpZ257NfEEJQ2/PXhzCa198lbhNS6UP7pKjn/uL3+JUPMLAf4pGHJn+EY12/
BrU0iWg5qo+t9Po2QZtwu94BmXiqGP9B9ENVUFJtH22ToHAID7O3bX7fTwknSeyN
i2d0y/s8wZR1hWwxEuVZCQ7aJOnGQN0XCH5S8eNDDSFRb2abLn0cSUSYRXVCqQbx
/GJ/tvYk3+33vepxfxH9iVlTvmBc/y5B1OvZxKdVNuOI1IFNc4pdDn5XZxJi9PK1
Aa14FxNPFdFlKqsJiw6QQDQYTYQFi4nXC3yl8VrEnDE9aFQd6cgrLPglnKbBDJoE
lhKV82GhuB1m1jj1X4vLOzt2Kw1TpLXJUnp4GLtW06B3dxPEya8WdLLzKAaLA2r3
fG0CYW4qz43yd4w6mIMr
=IU8o
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault