(Sending this to nessus-devel, might spark up a discussion or 30)
On Friday 10 January 2003 03:06, Paul Johnston wrote:
> I can see why it's hard to abandon NASL with >1000 existing scripts,
> but I really think the future lies in using a standard language.
I dont agree actually, I wrote the Perl support mainly so that Nessus can
use various 3rd-party libraries through the Perl module system. The
original reason was to have a standardized database layer for doing
account auditing (DB2, Oracle, etc).
Using a custom language for the majority of the plugins means that there
is actually some sort of a standard for the way tests are done. CGI
checks are cookie-cooker and very small, due to most of the
intelligence/integration happening behind the libraries. Duplicating the
function library in a another language is possible, but it would take
quite a bit of time to write and could potentially create a whole new set
of dependencies for the code to compile. NASL doesn't need to be a fully
functional scripting language to simply test for various vulnerabilities.
Trying to replace it with another language would make things much more
complicated for the code maintainer (Renaud et all), the plugin writer
(damn, the SSL module doesnt compile on this platform), and the poor guy
trying to understand what the plugins do (theres more than one way to do
it... you can be people will use their own). While both Perl and Python
have sandboxed modes, vulnerabilities have been found in them and will
probably continue to be found in them. Are you going to force every
Nessus user to have a billion little python/perl module instaled just to
get SSL or XML support?
The current use of NASL ensures at least some basic similarities between
plugins. It has a great API of functions explicitly written to test for
security vulnerabilties. The latest rewrite of NASL actually makes it a
_real_ (as in bison/lex) language that can be extended as needed. NASL
also supports some really cool things like transparent protocol
negotiation for SSL wrapped ports, an integrated (if one-way) knowledge
base, and built-in support for both pcap and raw packet generation.
Rewriting (or even hooking into) those functions is a significant amount
of work. If you feel inclined, go right ahead, but after youre finished
you may not be satisfied with the feedback you receive from the community
(ugh, I have to install what packages in what order to use this thing?).
If there was a single software package whose name I have cursed above all
others in the last 3 years, it has got to be NASL. It wasn't until I went
through the process of extending the API and adding Perl support did I
appreciate all the things that NASL did for you as a plugin writer. If
this was a brand new project, it might make sense to save time and use an
existing language, but its come far enough and offers such a rich feature
set that trying to throw it out the window now is just rediculous.
If you want to add support for plugins in a different language, keep in
mind that even if you write your own function library and sand-boxing
mode, the fact that your plugins aren't compatible with the standard
Nessus (without --enable-python-plugins and a whole bunch of support
libaries) will probably keep 99% of the people from using them. Since
most people wont be able to use your plugin set, replacements will have
to be written in NASL...
If you can cut back your dependencies to a small set that can be included
in the Nessus distribution (both legally and realistically), there may be
a real future in it, but please take into account the different operation
systems and environments in which Nessus is used today.
If its going to make things even more complicated to configure and
maintain, then no matter what the advantages are, you won't be able to
convince the plugin-writing community to use your code.
Bleh, this is just me ranting at 4 in the morning, maybe most of the
plugin developers would be ecstatic at using Python and will gladly
donate the time it takes to rewrite and *test* 1000+ plugins ;)
-HD
On Friday 10 January 2003 03:06, Paul Johnston wrote:
> I can see why it's hard to abandon NASL with >1000 existing scripts,
> but I really think the future lies in using a standard language.
I dont agree actually, I wrote the Perl support mainly so that Nessus can
use various 3rd-party libraries through the Perl module system. The
original reason was to have a standardized database layer for doing
account auditing (DB2, Oracle, etc).
Using a custom language for the majority of the plugins means that there
is actually some sort of a standard for the way tests are done. CGI
checks are cookie-cooker and very small, due to most of the
intelligence/integration happening behind the libraries. Duplicating the
function library in a another language is possible, but it would take
quite a bit of time to write and could potentially create a whole new set
of dependencies for the code to compile. NASL doesn't need to be a fully
functional scripting language to simply test for various vulnerabilities.
Trying to replace it with another language would make things much more
complicated for the code maintainer (Renaud et all), the plugin writer
(damn, the SSL module doesnt compile on this platform), and the poor guy
trying to understand what the plugins do (theres more than one way to do
it... you can be people will use their own). While both Perl and Python
have sandboxed modes, vulnerabilities have been found in them and will
probably continue to be found in them. Are you going to force every
Nessus user to have a billion little python/perl module instaled just to
get SSL or XML support?
The current use of NASL ensures at least some basic similarities between
plugins. It has a great API of functions explicitly written to test for
security vulnerabilties. The latest rewrite of NASL actually makes it a
_real_ (as in bison/lex) language that can be extended as needed. NASL
also supports some really cool things like transparent protocol
negotiation for SSL wrapped ports, an integrated (if one-way) knowledge
base, and built-in support for both pcap and raw packet generation.
Rewriting (or even hooking into) those functions is a significant amount
of work. If you feel inclined, go right ahead, but after youre finished
you may not be satisfied with the feedback you receive from the community
(ugh, I have to install what packages in what order to use this thing?).
If there was a single software package whose name I have cursed above all
others in the last 3 years, it has got to be NASL. It wasn't until I went
through the process of extending the API and adding Perl support did I
appreciate all the things that NASL did for you as a plugin writer. If
this was a brand new project, it might make sense to save time and use an
existing language, but its come far enough and offers such a rich feature
set that trying to throw it out the window now is just rediculous.
If you want to add support for plugins in a different language, keep in
mind that even if you write your own function library and sand-boxing
mode, the fact that your plugins aren't compatible with the standard
Nessus (without --enable-python-plugins and a whole bunch of support
libaries) will probably keep 99% of the people from using them. Since
most people wont be able to use your plugin set, replacements will have
to be written in NASL...
If you can cut back your dependencies to a small set that can be included
in the Nessus distribution (both legally and realistically), there may be
a real future in it, but please take into account the different operation
systems and environments in which Nessus is used today.
If its going to make things even more complicated to configure and
maintain, then no matter what the advantages are, you won't be able to
convince the plugin-writing community to use your code.
Bleh, this is just me ranting at 4 in the morning, maybe most of the
plugin developers would be ecstatic at using Python and will gladly
donate the time it takes to rewrite and *test* 1000+ plugins ;)
-HD