Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] external category anticipated load
From: Fyodor <fyodor () insecure org>
Date: Sat, 21 Apr 2012 01:32:07 -0700

On Wed, Apr 18, 2012 at 11:50:57AM +0200, John Bond wrote:

I am have written a script which makes use of an external service.
The script would be a replacement/compliment to asn-query, targets-asn
and whois.  however there is  worry that the increased load would take
down the service.  in an effort to try and gauge this i wanted to ask
if there is anyone here who would be able to give a good estimate of
the number of requests one should expect to see from a script placed
in the safe, external and discovery category.

Hi John.  It would certainly be interesting data, but we don't run any
of the 'external' services ourselves and so we don't have it.  You
could try asking the providers of some of the other 'external'
scripts.

I doubt the load will be all that high, but it could be material if
the service requires a lot of resources per lookup to fulfill it's
function.  Also, if the service is getting overloaded by queries from
Nmap and they aren't happy about it, we could remove the script from
future versions of Nmap and move it to our "script vault".  I imagine
that those scripts only get a tiny fraction of the usage seen by the
ones which ship with Nmap.

Another concern raised by the service provider was that they would
have a record of everyone nmap user that used there service (i.e. web
logs).  Is this a genuine worry, has it come up before for other
external services?

That is definitely a concern, and it is why we require that scripts
like this be in the "external" category.  That way, if folks want to
avoid this information leak, they can do thing like "--script
'discovery and not external'".  In most cases, I think the privacy
risk is mild compared to much of our other common Internet activity.
But for particularly sensitive scans, it might matter.

Finally the service provider would want to include, in the output, a
line stating that the results were provided by them.  Would this be
acceptable?

We wouldn't want advertising, but it's possible that this could be
structured so that it meets the company's goals and is actually useful
to Nmap users too.  After all, it is often important to know the
source of your data.  Of course we always include the data source in
the NSEDoc information.  Mentioning the data source in the output,
especially if it only takes an extra word or two, might be reasonable.
Also, for some scripts, the name of the data source is included in the
NSE script name itself.

Of course, to evaluate a new script like this, we'd have to see what
benefits it offers over the existing asn-query, targets-asn, and
whois.

Cheers,
Fyodor
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault