Nmap Development mailing list archives
RE: Enhanced Version of HTTPtrace.nse
From: "Rob Nicholls" <robert () everythingeverything co uk>
Date: Fri, 14 Dec 2007 00:28:16 -0000
Thanks for the advice! This is the first time I've touched NSE scripts so I'm not too familiar with all of the things I can do yet (i.e. I didn't realise I could tailor the output based on the verbosity). It makes total sense to detect the verbosity/debugging level in NSE scripts, especially ones that can produce lengthy outputs. I'll see about modifying it to use the functions you've mentioned. I suspect I'll display when TRACE is enabled by default (similar to how SSLv2 support is displayed), add the inconclusive messages when using -vv (hopefully this won't be seen that often, especially if I can eventually get the script to follow redirects and perform TRACE against files that exist so we can give a more accurate response), and return everything when verbosity is higher than 2 (even I don't usually bother going above 2), unless anyone has any better ideas? I'll also see about using debugging to show additional information, such as the first line of the returned header, if people set it high enough. I did consider adding support to check for other verbs like TRACK or DEBUG, but that would probably mean renaming the script too (this was only meant to be a very simple modification to your script, but I got carried away) ;) I've seen so many automated tools give false positives for TRACE based on OPTIONS, and I use nmap all the time, so I thought it would be nice if I could combine the two and save myself some manual analysis. Rob -----Original Message----- From: Kris Katterjohn [mailto:katterjohn () gmail com] Sent: 13 December 2007 23:44 To: Rob Nicholls Cc: nmap-dev () insecure org Subject: Re: Enhanced Version of HTTPtrace.nse <snip> Printing that it is enabled but nothing changed is something that I would consider if -v or -d is set (nmap.verbosity or nmap.debugging) since that is something that can be useful at times. However, printing that it's not enabled is too much output IMO, and I'm pretty sure Fyodor will agree. <snip> _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Enhanced Version of HTTPtrace.nse Rob Nicholls (Dec 13)
- Re: Enhanced Version of HTTPtrace.nse Kris Katterjohn (Dec 13)
- Re: Enhanced Version of HTTPtrace.nse jah (Dec 13)
- RE: Enhanced Version of HTTPtrace.nse Rob Nicholls (Dec 13)
- RE: Enhanced Version of HTTPtrace.nse Rob Nicholls (Dec 13)
- Re: Enhanced Version of HTTPtrace.nse Thomas Buchanan (Dec 13)
- RE: Enhanced Version of HTTPtrace.nse Rob Nicholls (Dec 14)
- RE: Enhanced Version of HTTPtrace.nse Rob Nicholls (Dec 14)
- Re: Enhanced Version of HTTPtrace.nse Fyodor (Dec 15)
- RE: Enhanced Version of HTTPtrace.nse Rob Nicholls (Dec 14)
- Re: Enhanced Version of HTTPtrace.nse Kris Katterjohn (Dec 13)