Hi,
I may have discovered a bug in nmap.nasl
concerning the --scan-delay
option. This research resulted because of an issue I initially had: Nmap (NASL wrapper) rate limits / timing settings
My feed version is 20210429T1046. This is the relevant nmap.nasl
script excerpt:
Line 304 checks, if the given parameter p
consist of numbers only. In line 206 the parameter p
is added to the nmap arguments (argv
). --scan-delay
expects a time
parameter. According to the nmap documentation:
Some options accept a
time
parameter. This is specified in seconds by default, though you can append ‘ms’, ‘s’, ‘m’, or ‘h’ to the value to specify milliseconds, seconds, minutes, or hours.
The parameter p
is added without any unit, therefore it defaults to seconds. If you would specify 20ms
in web user interface, the regex check is going to fail.
First option: fix in line 306: argv[i++] = p + 'ms';
Second Option: Drop mandatory ms scale in all timing options and let users decide the unit via the preferences in the user interface (e.g. 20ms).