Nmap Development mailing list archives
Re: [NSE] Target time out checks
From: Fyodor <fyodor () insecure org>
Date: Sun, 21 Dec 2008 23:50:21 -0800
On Mon, Dec 22, 2008 at 12:36:41AM -0700, Patrick Donnelly wrote:
Currently NSE starts the time out clock for all the hosts in a runlevel group before beginning the scan. If there is an extremely large group, some hosts may not be handled before a script thread is mistakenly timed out (even when it has no connections open). Also, a script may not actually be accessing that host at the time (whois.nse will query the whois databse, not the target!!). For this reason, I do not believe that the Target.timedOut method is appropriate for the Script Engine.
Hi Patrick. Good points. But it is very important to have a timeout mechanism for NSE to avoid scripts running far longer than is desired. If I specify "nmap -A --host-timeout 5m scanme.nmap.org", the goal is that no more than a total of 5 minutes be spent scanning that machine. So if the 5M elapses during the port scanning phase, neither OS detection nor NSE should even be run against scanme. That is the current design goal. If 4:58 is already accounted for from port scanning by the time NSE starts, and so the first scripts have just a couple seconds to run before they time out, that is OK too. If a whois script is querying a registry about scanme, it is appropriate to charge that time to scanme. As you note, this time accounting can get more complex when you are scanning multiple machines. It may be that NSE doesn't do a very good job at determining what hosts should be charged for the scripts running at a given time. In this case, I think it would be great to improve the time accounting system! But I don't think we should simply scrap it without a replacement at hand. I'd rather have the 5m timeout be inexact than fail to function entirely during NSE. But if you can create a patch to make timekeeping more accurate (without increasing complexity too much), that would be great! Cheers, -F _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [NSE] Target time out checks Patrick Donnelly (Dec 21)
- Re: [NSE] Target time out checks Fyodor (Dec 21)
- Re: [NSE] Target time out checks Patrick Donnelly (Dec 22)
- Re: [NSE] Target time out checks David Fifield (Dec 22)
- Re: [NSE] Target time out checks Ron (Dec 22)
- Re: [NSE] Target time out checks Fyodor (Dec 21)