Thanks for the pull request! I've made a few minor changes, and am about ready to merge. Can you add a README to the examples/udp-probes/, describing what each of those packets does/expects as response?

Thanks! Sure, the parsing side is a bit tricky for some protocols, and most my current code is in ruby, but I can add a README with an overview at least. I have a separate set of patches in the work for an extended output file type that contains the UDP reply data.

The README has been committed. Feel free to mangle this patch to whatever form is preferred. It wasn't clear what the best way to return an error from a probe module option parser was, so the current patch simply writes to stderr and calls exit(1).

A small TODO - we have a global_initialize() but not a global_cleanup() per probe module. If this is implemented (or if you like, I can add it), this module should call udp_global_cleanup() as the handler in order to free the payload packet allocated in the global_initialize() callback.

While there is no global_cleanup, there is a close callback which is global. We can rename this to be more clear, but unless I misunderstand, I think this would be the correct place to call udp_global_cleanup().

Perfect, thanks! Patch updated to use the close callback and correct a previous typo.

Do you have a preference on how fatal errors and non-fatal warnings should be handled in probe modules?

I've added the udp_global_cleanup call to the close function callback for
module_udp. Also, thanks for the README. Are the probes known to cause any
problems with targets (reboots, unexpected errors, exploits, etc), or are
they mainly investigative?

On Sat, Aug 17, 2013 at 2:45 PM, Zakir Durumeric
[email protected]:

While there is no global_cleanup, there is a close callback which is
global. We can rename this to be more clear, but unless I misunderstand, I
think this would be the correct place to call udp_global_cleanup().

—
Reply to this email directly or view it on GitHubhttps://github.com//pull/2#issuecomment-22817370
.

I've been using log_fatal and log_error (after #include "logger.h"). I've
replaced your fprintfs with those on my local pull of your patch.

On Sat, Aug 17, 2013 at 3:14 PM, HD Moore [email protected] wrote:

Do you have a preference on how fatal errors and non-fatal warnings should
be handled in probe modules?

—
Reply to this email directly or view it on GitHubhttps://github.com//pull/2#issuecomment-22817881
.

Thanks! All probes should be investigative only, but some will trip up IDS signatures. The only semi-bad probe is the SNMP sysDesc query. This isn't dangerous in of itself, but many ISPs have configured their PDUs and other equipment to send a trap when an invalid community string is received. It sounds like your local pull should solve the outstanding issues with this pull.

I've merged this into mainline. I'd like to make a couple more changes before merging into stable because as of now, OS packages are just going to toss this UDP packets and I'd like to be installing them as part of the install process (probably something along the lines of /var/zmap/). However, the functionality will be useful for anyone working off of the development branch.

Sounds good. Once the json-output stuff is merged, I should be able to add some examples of server replies (the current output modules do not present the raw data). In terms of parsing the output from the server, most of my current dissector code is in ruby. Is this something you would like to include into zmap or keep external?