Nmap Announce mailing list archives
Re: Nmap and xlogmaster
From: Max Vision <vision () whitehats com>
Date: Thu, 28 Jan 1999 17:41:04 -0800 (PST)
On Thu, 28 Jan 1999, Erik Parker wrote:
So.. Using xlogmaster, anytime it see's "ssh connection attempt" it executes /root/program /root/program contains: tail /var/log/messages | grep -i "ssh connection attempt from" |awk '{print $10}'|xargs nmap -O >> /root/nmaplog
First to answer your questions, to get the actual fingerprint use -d. As for the append option, use >>. Now to address your "/root/program" script... there are several problems that I would hate to see you run into. What if there are, say, five connections to your ssh port, each right after the other, thus fitting into the last ten lines of /var/log/messages (which is what tail grabs by default). This would cause your program, on the fifth catch, to have run a full portscan against a host(s) 15 times. Not that I would condone the use of your script above, but one way to at least limit scanning to just one host would be to change it to: tail /var/log/messages |grep -i "ssh connection atte"|awk '{print $10}'|\ tail -1|xargs nmap -O -sS -p 22,25,53,80,139 >> /root/nmaplog Note that I also suggest adding a port range since that will catch and ID like 99% of the hosts out there. Good luck! Max
Current thread:
- Nmap and xlogmaster Erik Parker (Jan 28)
- Re: Nmap and xlogmaster Max Vision (Jan 28)
- Re: Nmap and xlogmaster Adam Shostack (Jan 28)
- Re: Nmap and xlogmaster Lamont Granquist (Jan 28)
- Re: Nmap and xlogmaster Erik Parker (Jan 28)
- Re: Nmap and xlogmaster HD Moore (Jan 28)
- Re: Nmap and xlogmaster Lamont Granquist (Jan 29)
- Re: Nmap and xlogmaster Steve Palmer (Jan 28)
- Re: Nmap and xlogmaster Lamont Granquist (Jan 29)
- Re: Nmap and xlogmaster Dave Dittrich (Jan 29)
- Re: Nmap and xlogmaster Max Vision (Jan 28)