Nmap Announce mailing list archives
Re: Nmap and xlogmaster
From: Lamont Granquist <lamontg () raven genome washington edu>
Date: Thu, 28 Jan 1999 18:20:22 -0800
it would also be a good idea to put this into a script and have it choke the number of scans it will do based both on how often it scans a particular machine and how often it issues scans to any machines. that way you don't get used by a spoofer to DoS someone else via using your machine as a "bandwidth multiplier." it should of course log the fact that it is choking, and it should be careful not to fill your disk up. also, i'm a little bit worried that nmap is getting to be a large and complicated program and may have exploitable security holes in it. when doing booby-traps like this you always have to consider that someone may attack you by setting off the booby-trap and then supplying the program with, say, a buffer overflow which will compromise your security. this is why tcp_wrappers ships with the safe_finger program for you to use in booby-traps since it has likely undergone a better security audit than the finger program on your machine. On Thu, 28 Jan 1999, Max Vision wrote:
On Thu, 28 Jan 1999, Erik Parker wrote:So.. Using xlogmaster, anytime it see's "ssh connection attempt" it executes /root/program /root/program contains: tail /var/log/messages | grep -i "ssh connection attempt from" |awk '{print $10}'|xargs nmap -O >> /root/nmaplogFirst to answer your questions, to get the actual fingerprint use -d. As for the append option, use >>. Now to address your "/root/program" script... there are several problems that I would hate to see you run into. What if there are, say, five connections to your ssh port, each right after the other, thus fitting into the last ten lines of /var/log/messages (which is what tail grabs by default). This would cause your program, on the fifth catch, to have run a full portscan against a host(s) 15 times. Not that I would condone the use of your script above, but one way to at least limit scanning to just one host would be to change it to: tail /var/log/messages |grep -i "ssh connection atte"|awk '{print $10}'|\ tail -1|xargs nmap -O -sS -p 22,25,53,80,139 >> /root/nmaplog Note that I also suggest adding a port range since that will catch and ID like 99% of the hosts out there. Good luck! Max
-- Lamont Granquist lamontg () raven genome washington edu Dept. of Molecular Biotechnology (206)616-5735 fax: (206)685-7344 Box 352145 / University of Washington / Seattle, WA 98195 PGP pubkey: finger lamontg () raven genome washington edu | pgp -fka
Current thread:
- Nmap and xlogmaster Erik Parker (Jan 28)
- Re: Nmap and xlogmaster Max Vision (Jan 28)
- Re: Nmap and xlogmaster Adam Shostack (Jan 28)
- Re: Nmap and xlogmaster Lamont Granquist (Jan 28)
- Re: Nmap and xlogmaster Erik Parker (Jan 28)
- Re: Nmap and xlogmaster HD Moore (Jan 28)
- Re: Nmap and xlogmaster Lamont Granquist (Jan 29)
- Re: Nmap and xlogmaster Steve Palmer (Jan 28)
- Re: Nmap and xlogmaster Lamont Granquist (Jan 29)
- Re: Nmap and xlogmaster Dave Dittrich (Jan 29)
- Re: Nmap and xlogmaster Max Vision (Jan 28)