Re: Monitor connected IP's

[H Carvey <keydet89 () yahoo com>]

In-Reply-To: <20041102120429.31300.qmail () mail securityfocus com>

Tony,

> Does anyone know of a tool or script that I can run against my windows
> servers to detect ip's connected to my servers that are out of my lan range.
> Something easier than running netstat against each server individually?

Well, outside of running tcpdump/windump on the subnet with filters in place, I'm not entirely clear on how you're 
going to get the info you want without netstat.  The suggestion of using PortReporter would work, but for the most 
part, I think it would really depend on how often you want something like this.

One way to go about this would be to create a Perl script that used psexec.exe from SysInternals.com to launch 
netstat.exe on a regular basis, dumping the output to your local console (Perl would only have to be installed on your 
console system).  Use Perl to parse through the netstat output, automagically filtering out the stuff you don't want.

Another option, if you don't want "real-time", is to use the logs inherent to the applications you've got on the 
servers.  I know the FTP and IIS logs record IP addresses.

There are several ways to go about this, all depending upon what your requirements are...

H. Carvey 
Windows Forensics and Incident Recovery
http://www.windows-ir.com
http://groups.yahoo.com/group/windowsir/