Security Basics mailing list archives
Re: Monitor connected IP's
From: H Carvey <keydet89 () yahoo com>
Date: 3 Nov 2004 12:14:20 -0000
In-Reply-To: <20041102120429.31300.qmail () mail securityfocus com> Tony,
Does anyone know of a tool or script that I can run against my windows servers to detect ip's connected to my servers that are out of my lan range. Something easier than running netstat against each server individually?
Well, outside of running tcpdump/windump on the subnet with filters in place, I'm not entirely clear on how you're going to get the info you want without netstat. The suggestion of using PortReporter would work, but for the most part, I think it would really depend on how often you want something like this. One way to go about this would be to create a Perl script that used psexec.exe from SysInternals.com to launch netstat.exe on a regular basis, dumping the output to your local console (Perl would only have to be installed on your console system). Use Perl to parse through the netstat output, automagically filtering out the stuff you don't want. Another option, if you don't want "real-time", is to use the logs inherent to the applications you've got on the servers. I know the FTP and IIS logs record IP addresses. There are several ways to go about this, all depending upon what your requirements are... H. Carvey Windows Forensics and Incident Recovery http://www.windows-ir.com http://groups.yahoo.com/group/windowsir/
Current thread:
- Monitor connected IP's Tony Kasyan (Nov 02)
- RE: Monitor connected IP's Corey Watts-Jones (Nov 02)
- <Possible follow-ups>
- Re: Monitor connected IP's H Carvey (Nov 03)
- RE: Monitor connected IP's James Derieg (Nov 03)