Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Nessus>
  3. plugins
plugin categories
sullo at cirt
Jul 20, 2002, 10:39 AM
Post #1 of 3 (1042 views)
Permalink
What kind of work is involved in renaming plugin categories?
There are a lot of plugins in "Misc" and "General" that relate to web
servers, but do not really fit in "CGI Abuses" because of its label.
Wouldn't it be better to rename it "Web Abuses" and include both
the CGI and web server tests in it?

Along the same lines, changing "CISCO" to simply "Routers" and
moving some of the other Caymen and other router checks there
(including some misplaced Cisco checks)?

I think if we made those two changes there would be very few
plugins in Misc/General, and they could be combined into simply
one category (is there a difference between the two anyway?).

I'm willing to start moving plugins & making diffs, but I wasn't sure
if the categories have to be changed in code or if in a plugin is
enough.

Thoughts?

-Sullo

___________________________________________________
http://www.cirt.net/
Home of Nikto
Re: plugin categories [ In reply to ]
arboi at noos
Jul 20, 2002, 11:38 AM
Post #2 of 3 (997 views)
Permalink
"sullo" <sullo@cirt.net> writes:

> What kind of work is involved in renaming plugin categories?
> There are a lot of plugins in "Misc" and "General" [snip]

I suppose you meant "families", not "categories".
There is nothing in the C code; families just appear in the plugins.

When you change them, be careful not to mispell them. Beware of
lower/upper case!

BTW, the families are translated in French in some plugins, and not in
others. Not a great idea... e.g. in French, you see two families:
"abus de CGI" and "CGI abuses" IIRC.
(there are also a few German & Portuguese translations)

> but do not really fit in "CGI Abuses" because of its label.
> Wouldn't it be better to rename it "Web Abuses" and include both
> the CGI and web server tests in it?

Unless we are able to define more fine grained families.

> Along the same lines, changing "CISCO" to simply "Routers" and
> moving some of the other Caymen and other router checks there
> (including some misplaced Cisco checks)?

OK

> I think if we made those two changes there would be very few
> plugins in Misc/General, and they could be combined into simply
> one category (is there a difference between the two anyway?)

Well, maybe we should start to clearly define the existing families.

I added two "trashcan" families:
Settings (French "Configuration") for all the ACT_SETTINGS plugins (as
they are always selected, no need to pollute the other categories with
them)
and "Untested" (untranslated in other languages) for some new plugins
that could not be validated _or_ that implement an attack that was not
validated (i.e. reproduce an exploit, but maybe the vulnerability does
not exist). Maybe we should created another family for this case.
My intention with "Untested" was that somebody who want to check a
specific vulnerability would be careful about the scan results if he
finds the plugin there.

A problem with families is that they cannot (but should?) have
plugins in common.
e.g. a web directory traversal aimed at IIS may go to "CGI abuses",
"Remote file access", "Windows" and maybe also "Gain root remotely" or
"Gain a shell remotely".

We may put a plugin in the most "precise" or "relevant" family. If a
plugin doesn't fit anywhere, it may go to "Misc."
In the previous example, we could create a "Web directory traversal"
family, after all.
I don't think that have kazillons of families should be a problem, as
long as we have more than one plugin in each!

I suppose that we should avoid plugins specific to an editor
(e.g. "CISCO"), as an attack may work against another software.

BTW, I counted 22 (english) families, which is probably too much and
not enough at the same time :-\
Backdoors CGI abuses CISCO
Denial of Service Finger abuses Firewalls
FTP Gain a shell remotely Gain root remotely
General Misc. NIS
Port scanners Remote file access RPC
Settings SMTP problems SNMP
Untested Useless services Windows
Windows : User management

A few ideas:
If there is such thing as "Finger", why not "HTTP"?
Does this make sense to have "gain a shell" and "gain root"?
"Remote file access" should probably renamed "Information leak"
CISCO -> routers

> I'm willing to start moving plugins & making diffs, but I wasn't sure
> if the categories have to be changed in code or if in a plugin is
> enough.

BTW, about the categories, we did not decide yet if we should or not
add ACT_KILL_HOST after ACT_DENIAL
Re: plugin categories [ In reply to ]
peak at argo
Jul 27, 2002, 5:43 AM
Post #3 of 3 (998 views)
Permalink
On 20 Jul 2002, Michel Arboi wrote:

> When you change them, be careful not to mispell them. Beware of
> lower/upper case!
>
> BTW, the families are translated in French in some plugins, and not in
> others. Not a great idea... e.g. in French, you see two families:
> "abus de CGI" and "CGI abuses" IIRC.
> (there are also a few German & Portuguese translations)

Apparently, family names should be i18ned indirectly: plugins themselves
should provide a single family name (or perhaps a symbolic constant like
ACT_*) and the Nessus engine should find the right translation in a
standalone language-specific list of names (gettext()?).


--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal