On Mittwoch, 23. Juli 2014, Thomas Reinke wrote: > On 23/07/14 04:27 AM, Jan-Oliver Wagner wrote: > >> FYI - I am seeing downstream impact, as amap.nasl and nmap.nasl > >> have explicit checks for the value "default" to control certain > >> behaviours. That might be a non-trivial impact in terms of > >> expected behaviour/performance of nmap itself... > > > > hm, this is somewhat in conflict with the intransparency of what > > is going on. A Nmap expert of course might know well what will > > happen using "default". > > That's, in my opinion, THE common way to run nmap (no port options). > It's the biggest bang for the buck from nmap. It's not really > an 'expert' thing - if you use nmap at ALL and know what it does, > you are using that mode.
Most of our users have no idea about what port scanners are used. They know about hosts and ports and know what should be touched and what should not be touched. I think the problem we are running into here is that OpenVAS has meanwhile far more non-pentester users than pentester users. > >> The specific use case for us is that we use the 'default' value > >> of nmap to control nmap's scan to scan any port below 1024 and > >> all known service ports that nmap has, and to then feed that > >> back into openvas. It looks to me based on observations (haven't > >> run the actual tests yet), that this capability would now be > >> broken, as there would be no way of telling nmap to leverage this > >> default behaviour set. > > > > right, you need now to express the ports explicitly. > > Got it...not my preferred approach (I've always been a fan of all > the work that nmap did in identifying all the common services). To > have to grab all that out seems...redundant. Not a huge issue though, > and admittedly I like the idea of passing port list better than > the idea of patching back two versions of openvassd. with the future OSP approach we might be able to re-enable some expert features when wrapping scan components and thus help pentester who are not using OMP level. Well, eventually... > > It won't apply for OpenVAS-7 though as the conceptual change would not > > allow to transfer a setting that is understood by some port scanner in some > > way. > > Probably would be good to understand and handle the logic in the nasl > scripts that still rely on the "default" values... hm, which ones are these? -- Dr. Jan-Oliver Wagner | +49-541-335084-0 | http://www.greenbone.net/ Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 202460 Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner _______________________________________________ Openvas-discuss mailing list [email protected] https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
