Re: http-google-malware.nse - Script to check if host is known for distributing malware or being used in phishing attacks

[Paulino Calderon <paulino () calderonpale com>]

On 07/08/2011 04:25 PM, Henri Doreau wrote:
> 2011/7/8 Paulino Calderon<paulino () calderonpale com>:
>    
> > I've added an argument to pass the api key from command line and commited
> > this script as 'http-google-malware' r24749.
> >
> >      
> Hi Paulino,
>
> I've just quickly read the script and it sounds good. I have a comment
> concerning arguments handling though. Wouldn't that be better to use
> of stdnse.get_script_args() instead of reading them from the registry?
>
> In the secwiki entry[1] I also mentioned the "Symantec Norton safe
> web" service. Just for information: do you have plans to add support
> for this as well? Or is there an issue about it (like usage rules or
> whatever...)?
>
> Regards.
>
> [1] https://secwiki.org/w/Nmap_Script_Ideas#http-malware-host
>
>
>    
Well to be honest I don't know the difference between them. Fyodor 
didn't mention anything about it when we had code reviews for this 
script or others so I assumed they were both correct.

When I was researching our options for this script, I tested malware 
sites from http://www.malwareblacklist.com/showMDL.php and Google's 
service detected a LOT more entries than Norton. Since Symantec Norton 
also does not offer an API and we would have to parse html that could 
need updates in the future, I decided to go with Google's API. Adding 
support to this service does have the advantage of not needing an API 
key but their database doesn't seem that good.

Cheers.

--
Paulino Calderón Pale
Web: http://calderonpale.com
Twitter: http://www.twitter.com/paulinocaIderon

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/