Re: [RFC] NSE Re-categorization

[Kris Katterjohn <katterjohn () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

DePriest, Jason R. wrote:
> What might be nice is a hierarchy to show which safer tests are
> subsets of more "dangerous" or at least more involved tests.
>
> Something like this:
>
>
>                                 /-> malware->\
>                                /              \
> safe --> discovery --> version --> vuln ----->|-> intrusive
>                                \              /
>                                 \-> auth --->/
>
> with demo and default on their own
>
> A script like netbios-smb-os-discovery.nse does a lot of work.  It's
> almost intrusive, but probably just a discovery.
>
> The diagram helps me figure out where it should go and "version" seems
> fine in that context since it does more than a simple discovery and
> you don't want to run it without asking for version detection.

Interesting!

> I also don't understand the benefit of having a script that is
> "intrusive" also be a "discovery" scan.  If it is "intrusive" then I
> don't want it running if I am only asking for "discovery."
>
> They should be either "discovery" and relatively benign or "intrusive"
> and used with intent.
>
> Explain the logic between having a script in both categories.  Maybe I
> just don't "get it."

This is a good point; however, Fyodor mentioned to me that more expressiveness
could be added to script selection, which will alleviate this.

I personally don't see a problem with a script being in Discovery and
Intrusive.  Take zoneTrans for example: it certainly has the "discovery"
aspect to it, but it's also a bit "intrusive".  The intrusiveness in this
respect isn't saying "this script is malicious", just that "this script goes a
bit further than some administrators might like."

However, there is currently no way to say "I want a Discovery script that is
not Intrusive," which, as you mentioned, can pose a problem in situations.

Another threat-level category could be added for scripts that are "used with
intent," but that could easily get confusing.

Opinions anyone?

> -Jason

Thanks,
Kris Katterjohn


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIVAwUBSFmKtP9K37xXYl36AQIvYg/+LucN0iBZydu7+PhGD3tkD9ANGfUq/I5z
K1q+uNrjkHf0E/dLeLvnXh189GPLyBjVP58zOJ3vMs8B8l2mIHhg9NPoyMz5oo/i
MFkIDe9bVYy9hYd2PAz8FXu1WQv6AI9jtw77E9kFXquGVUY1wYs3GJ+pJs2doev9
pH2Fr800DY9+uWQ1gSwMXHm32EBZvJHbaGLBPjXue4064uY9tSF80PQ0kapsY+rY
puA1EDQ2dthImEq52cU0NnizpKGwTQ2VHFJT2hO12V2RlYSKGAhMeUenOG6dbAmR
sTRUx9wKj4om7kNbaY7fiDQ6SIMpe9Aei7v2ktbjg5uAY1gSrHQb2fKUxffm9FXE
1DdWJxuoV+Dtqkn35WBkTaS3DGQgo9jVtzPhp2HPylHwGxAwVStiKsQkp6ShE7eG
y2WkpRF8zTn2jT2ZVK/M+ZEuNr4bSPZ39NVPp7DIE1nbjEwikRUEsFR4z6zAq/cX
4ZqAbBxoXOLjBtM4KrnXQ9+OGPsvFkzEYRXfjqYqxsB0umvX5iGz/WETbFF0ZU68
SHqlxHZUd/adR2eDhdvx4bnBqkHEFfFTjGat69S1MSK4vjPRQ+U+iHwef687Vb3W
6+42dEF1uA7IK9ipaI+Lshky1Zny/qdNHTHhyEcgMICZ6iszCpBAo7zmNWgpbb8I
UOuuLEoUfi4=
=7JsC
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org