Re: Safe and Intrusive Category confusion

[Patrick Donnelly <batrick () batbytes com>]

Hi David,

On Sun, Sep 27, 2009 at 2:39 PM, David Fifield <david () bamsoftware com> wrote:
> On Wed, Sep 23, 2009 at 03:28:11AM -0700, Fyodor wrote:
> > Right now we have 20 scripts which aren't in "safe" or "intrusive".
> > Does anyone want to go through this list (reading the nsedoc and/or
> > script source) and add a short comment for each as to whether you
> > think it should be "safe" or not (and why) and then send the commented
> > list back to nmap-dev for discussion?
> >
> > asn-query.nse
> > auth-spoof.nse
> > daytime.nse
> > dhcp-discover.nse
> > finger.nse
> > http-favicon.nse
> > http-headers.nse
> > http-malware-host.nse
> > http-trace.nse
> > http-userdir-enum.nse
> > iax2-version.nse
> > imap-capabilities.nse
> > irc-info.nse
> > pop3-capabilities.nse
> > pptp-version.nse
> > realvnc-auth-bypass.nse
> > skypev2-version.nse
> > smtp-open-relay.nse
> > smtp-strangeport.nse
> > sniffer-detect.nse
>
> Patrick, how were you planning to break these down? We got sidetracked
> on the issue of the "intrusive" category but that doesn't have to
> prevent the identification of safe scripts from the list above.

I'm very busy at the moment with preparations for my trip next week to
the Lua Workshop. I don't think I'll be able to properly look at these
until next week during free time (hotel wifi) or the week after when
things settle down.

I think this discussion has been fruitful. All we need to do is
classify which scripts are safe and file the others as intrusive, for
now.

Later I think we should identify which categories are essential (safe,
vuln, etc.) and remove the rest. With the introduction of boolean
operators, we don't need as many redundant categories (intrusive).
Perhaps we should begin using categories that better describe the
actions of the script (*looks* for vulnerabilities, attempts to
remotely exploit the machine (using vulnerabilities found?), crash the
machine, etc.).

As discussed previously, we never found a more appropriate way to
describe a Safe script. I have put a lot of thought into how a Safe
script would be better classified. I believe that any action against a
host by a Safe script should be indistinguishable from *genuine* use
of the service. I have reviewed the thesaurus heavily looking for
things like antonyms of abuse and what not. The best word I could come
up was in fact Genuine (or Authentic, but that is too similar to
Authentication scripts). I dislike the idea of a Safe category because
it poorly describes how the scripts actually behave. All you can
assume is that the scripts are probably not going to piss off IT.
Maybe someone can come up with a better category name. I kind of like
Genuine but it may not be self-evident when first looked at (user will
need to consult the docs).


-- 
-Patrick Donnelly

"Let all men know thee, but no man know thee thoroughly: Men freely
ford that see the shallows."

- Benjamin Franklin

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org