Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Tool to analyse nmap output (when scaning internal systems)

From: Daniel Cid <danielcid () yahoo com br>
Date: Wed, 12 Jul 2006 00:35:19 -0300 (ART)
Hi nmap-dev,

Sorry for this slightly off topic message, but this
may be useful for the people using nmap to map their
internal hosts. I just added to ossec (open source
hids project) a plugin to parse nmap grepable
outputs. If you scan your network looking for new
hosts
or new open ports, it can automate some of your work
(I couldn't find any other tool that does that). In
the future, I plan to use this information to improve
correlation with IDS alerts and other logs.

Some example of event that ossec will generate on new
hosts or when any host changes:


2006 Jul 04 20:21:53 /var/log/nmap-out.log
Rule: 15 (level 8) -> 'New host information added.'
Host: 192.168.2.10, open ports: 21(tcp) 22(tcp)
80(tcp) 113(tcp) 514(udp) 1514(udp) 4500(udp)

2006 Jul 04 20:23:03 /var/log/nmap-out.log
Rule: 15 (level 8) -> 'Host information changed.'
Host: 192.168.2.1, open ports: 54(udp) 8080(tcp)
161(udp) 520(udp) 1025(udp) 1900(udp)
Previously open ports: 53(udp) 80(tcp) 161(udp)
520(udp) 1025(udp) 1900(udp)


If you are interested, download the latest version of
ossec:

http://www.ossec.net/files/ossec-hids-0.8-6.tar.gz

And after the install, configure it to read your
nmap output file (step by step below):

1- Add the nmap output file on ossec.conf (generally
   at /var/ossec/etc/ossec.conf):
<ossec_config>
  <localfile>
    <log_format>nmapg</log_format>
    <location>/var/log/nmap-out.log</location>
  </localfile>
</ossec_config>


2- If the file does not exist, touch it:
ossec-test# touch /var/log/nmap-out.log


3- Restart ossec:
ossec-test# /var/ossec/bin/ossec-control restart


4- Run your nmap scans (example scanning
192.168.2.0/24 network):
ossec-test# nmap --append_output -sU -sT -oG
/var/log/nmap-out.log 192.168.2.0-255


*btw, I just added it, so if you try it, let me know
of any problem, error, etc...

Thanks again,

--
Daniel B. Cid
dcid ( at ) ossec.net


                
_______________________________________________________ 
Novidade no Yahoo! Mail: receba alertas de novas mensagens no seu celular. Registre seu aparelho agora! 
http://br.mobile.yahoo.com/mailalertas/ 
 



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Previous By Date Next
Previous By Thread Next

Current thread: