Nmap Development mailing list archives
Tool to analyse nmap output (when scaning internal systems)
From: Daniel Cid <danielcid () yahoo com br>
Date: Wed, 12 Jul 2006 00:35:19 -0300 (ART)
Hi nmap-dev, Sorry for this slightly off topic message, but this may be useful for the people using nmap to map their internal hosts. I just added to ossec (open source hids project) a plugin to parse nmap grepable outputs. If you scan your network looking for new hosts or new open ports, it can automate some of your work (I couldn't find any other tool that does that). In the future, I plan to use this information to improve correlation with IDS alerts and other logs. Some example of event that ossec will generate on new hosts or when any host changes: 2006 Jul 04 20:21:53 /var/log/nmap-out.log Rule: 15 (level 8) -> 'New host information added.' Host: 192.168.2.10, open ports: 21(tcp) 22(tcp) 80(tcp) 113(tcp) 514(udp) 1514(udp) 4500(udp) 2006 Jul 04 20:23:03 /var/log/nmap-out.log Rule: 15 (level 8) -> 'Host information changed.' Host: 192.168.2.1, open ports: 54(udp) 8080(tcp) 161(udp) 520(udp) 1025(udp) 1900(udp) Previously open ports: 53(udp) 80(tcp) 161(udp) 520(udp) 1025(udp) 1900(udp) If you are interested, download the latest version of ossec: http://www.ossec.net/files/ossec-hids-0.8-6.tar.gz And after the install, configure it to read your nmap output file (step by step below): 1- Add the nmap output file on ossec.conf (generally at /var/ossec/etc/ossec.conf): <ossec_config> <localfile> <log_format>nmapg</log_format> <location>/var/log/nmap-out.log</location> </localfile> </ossec_config> 2- If the file does not exist, touch it: ossec-test# touch /var/log/nmap-out.log 3- Restart ossec: ossec-test# /var/ossec/bin/ossec-control restart 4- Run your nmap scans (example scanning 192.168.2.0/24 network): ossec-test# nmap --append_output -sU -sT -oG /var/log/nmap-out.log 192.168.2.0-255 *btw, I just added it, so if you try it, let me know of any problem, error, etc... Thanks again, -- Daniel B. Cid dcid ( at ) ossec.net _______________________________________________________ Novidade no Yahoo! Mail: receba alertas de novas mensagens no seu celular. Registre seu aparelho agora! http://br.mobile.yahoo.com/mailalertas/ _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
Current thread:
- Tool to analyse nmap output (when scaning internal systems) Daniel Cid (Jul 11)