Re: Port watching tool

[Jeff Lane <crash () pinehurst net>]

JThanks for the suggestions...

The earlier suggestion of PortDetective.com is not what I was looking 
for... hope I wasnt too confusing!  portdetective.com looks to me 
(without having installed their client side software that is not 
documented at all on their website (so I am hesitant to even install 
it)) looks like it is basicall a web based port scanner... I have nmap 
for that...

Active Ports only shows one connection to port 25 (which I am trying to 
monitor) but netstat shows about 250 (about 50 show as ACTIVE, and the 
rest show as either TIME_WAIT or CLOSE_WAIT) and those are the ones that 
concern me...

I am finding certain IPs (thanks I believe to the sobig virus) to be 
generating large numbers of SMTP connections to the server, and when I 
find them wiht netstat, they are mostly in one of hte wait states.

So the idea was to have something alert me when there were more than X 
number of connections from any single IP or in any single state, and 
since I am not a programmer, I have little hope of doing that one on my 
own... <grin>

good example, I am seeing three distinct IPs from AT&T blocks that have 
about 100 connections to port 25 on my mail server.  most of these are 
in the TIME_WAIT or CLOSE_WAIT status.

I had considering black-listing the individual IPs locally, but that may 
not be a good idea, since I may or may not be able to tell if these IPs 
are dynamically allocated or static...

Jeff
im Clare wrote:
> ---------- Original Message ----------------------------------
> From: Jeff Lane <crash () pinehurst net>
> Date:  Fri, 22 Aug 2003 14:07:13 -0400
>
>
> > Hello,
> >
> > I have just a simple question... I have been searching aroud the net for 
> > software to watch the ports on a Win2K machine but am not turning 
> > anything up that would be useful to me, so I thought I would ask here...
> >
> > Could someone point me to a tool that will or can do the following:
>
>
> > A: monitor ports on a Win2K server
>
>
> www.devhood.com/tools/tool_details.aspx?tool_id=515 download and install. It's a cool little free program that will do 
> this.
>
>
> > B: specifically monitor a certain port or range of ports
>
>
> go to www.grc.com and run the shields up test. 


--
Jeffrey Lane, RHCE
Systems Adminstrator
ConnectNC, Inc
DSL and Web hosting: http://www.connectnc.com
List your child-related organization Online!  http://www.sandhillskids.com



---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------