I may have discovered a bug in
nmap.nasl concerning the
--scan-delay option. This research resulted because of an issue I initially had: Nmap (NASL wrapper) rate limits / timing settings
My feed version is 20210429T1046. This is the relevant
nmap.nasl script excerpt:
Line 304 checks, if the given parameter
p consist of numbers only. In line 206 the parameter
p is added to the nmap arguments (
--scan-delay expects a
time parameter. According to the nmap documentation:
Some options accept a
timeparameter. This is specified in seconds by default, though you can append ‘ms’, ‘s’, ‘m’, or ‘h’ to the value to specify milliseconds, seconds, minutes, or hours.
p is added without any unit, therefore it defaults to seconds. If you would specify
20ms in web user interface, the regex check is going to fail.
First option: fix in line 306:
argv[i++] = p + 'ms';
Second Option: Drop mandatory ms scale in all timing options and let users decide the unit via the preferences in the user interface (e.g. 20ms).