Nmap checks

Andreas Ericsson ae at op5.se
Sun Apr 3 16:12:37 CEST 2005


Andrew Cruse wrote:
> This might be a better question for the plugins list, but here goes.
> I'm trying to figure out if there is any way to use any of the existing
> plugins to do the following:
> 
> 1.  Port scan a host
> 2.  Compare open ports to a list of "expected" ports passed via the
> commandline
> 3.  Alert if any ports other than the "expected" ports are open.
> 

Don't do this. You'll end up scanning 2 * 65535 * num_hosts port for 
every one of these checks you're adding up. If you didn't have problems 
in your network before this, you'll get them when implementing this 
check. Instead you should try using nrpe/check_by_ssh and netstat to 
display open ports. That way you can also link them to the program 
having it opened.

> My goal here is to be able to monitor systems for rogue ports opening
> up, as an indication that the system may have been compromised.  It
> seems like it would be fairly trivial to do a local check on each system
> by parsing the output of netstat, but the reliability of that method is
> predicated on the trustworthiness of the netstat binary which is an
> assumption I'm not willing to make when I'm looking to sniff out
> intrustions.  Therefore it seems best to try to do the detection from
> another system.  Looking at the check_nmap plugin it seems like it is
> only able to check that certain ports *are* open, whereas I'm looking to
> do the opposite.
> 
> Any suggestions/pointers are greatly appreciated.
> 
> Thanks,
> 
> Andrew
> 
> 
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Nagios-users mailing list
> Nagios-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nagios-users
> ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
> ::: Messages without supporting info will risk being sent to /dev/null
> 

-- 
Andreas Ericsson                   andreas.ericsson at op5.se
OP5 AB                             www.op5.se
Lead Developer


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null





More information about the Users mailing list