Monday, May 26, 2008

Search Window TODO

After discussing the future functionality of Zenmap's Search Window on the mailing list, I have assembled the following TODO.

Supported operators and their aliases:
  • profile: (pr:) - Profile used.
  • target: (t:) - Scan target(s). Matches the user-supplied target, or a rDNS result.
  • option: (o:) - Scan options. This includes everything in the command line, except "nmap" and the target list. Options that take arguments can be matched using the following syntax: "opt:option_name(argument)". For example, "opt:version-intensity(9)" matches all scans that have --version-intensity set to 9.
  • date: (d:) - Date when scan was performed. Apart from the standard "date:YYYY-MM-DD" format, it will be possible to perform fuzzy matching using the "~" prefix. For example, "date:2008-12-25~" matches all scans performed from 00:00 on December 24 until 00:00 on December 27 (a span of three days). Using the fuzziness operator twice means the span of five days (in the previous example, 00:00 on December 23 until 00:00 on December 28). The "~" operator can be used anywhere in the date string, since it gets stripped out before parsing the date.
    In addition, it is possible to use the "date:-n" notation which means "n days ago". Basically, it just calculates the date of n days ago, and proceeds with normal date logic. Fuzzy matching is also applicable here.
  • after: (a:) - Matches scans made after the supplied date (YYYY-MM-DD). The "-n" notation can also be used (see above).
  • before (b:) - Matches scans made before the supplied date. The "-n" notation can also be used.
  • os: - Matches all OS-related fields (including vendor, device type, OS details, OS class, OS version, etc.).
  • scanned: (sp:) - Matches a port if it was among those scanned.
  • open: (op:) - Open ports discovered in a scan. For example, "op:22" returns all scans that discovered an open SSH port.
  • closed: (cp:) - Closed ports discovered in a scan.
  • filtered: (fp:) - Filtered ports discovered in scan.
  • unfiltered: (ufp:) - Unfiltered ports found in a scan (using, for example, an ACK scan).
  • open|filtered: (ofp:) - Matches ports in the "open|filtered" state.
  • closed|filtered: (cfp:) - Matches ports in the "closed|filtered" state.
  • service: (s:) - Service discovered running on a port. Matches all service-related fields, where present.
  • inroute: (ir:) - Matches a router in the scan's traceroute output.
Additionally,
  • "Bare" search strings (without an operator) match anything, anywhere in the scan's output or its command string.
  • Searches that contain spaces can be wrapped inside quotation marks.
  • The "and" operator is implicit.

No comments: