Re: Nmap and xlogmaster

[Max Vision <vision () whitehats com>]

On Thu, 28 Jan 1999, Erik Parker wrote:
> So.. Using xlogmaster, anytime it see's "ssh connection attempt" it
> executes /root/program
>
> /root/program contains:
>
> tail /var/log/messages | grep -i "ssh connection attempt from" |awk
> '{print $10}'|xargs nmap -O >> /root/nmaplog

First to answer your questions, to get the actual fingerprint use -d.  As
for the append option, use >>.

Now to address your "/root/program" script... there are several problems
that I would hate to see you run into.  What if there are, say, five
connections to your ssh port, each right after the other, thus fitting
into the last ten lines of /var/log/messages (which is what tail grabs by
default).  This would cause your program, on the fifth catch, to have
run a full portscan against a host(s) 15 times.
Not that I would condone the use of your script above, but one way to at
least limit scanning to just one host would be to change it to:
tail /var/log/messages |grep -i "ssh connection atte"|awk '{print $10}'|\
tail -1|xargs nmap -O -sS -p 22,25,53,80,139 >> /root/nmaplog

Note that I also suggest adding a port range since that will catch and ID
like 99% of the hosts out there.

Good luck!
Max