RE: Monitor connected IP's

["James Derieg" <jderieg () atmedicausa com>]

Try ActivePorts.
http://www.protect-me.com/freeware.html

-----Original Message-----
From: H Carvey [mailto:keydet89 () yahoo com] 
Sent: Wednesday, November 03, 2004 5:14 AM
To: security-basics () securityfocus com
Subject: Re: Monitor connected IP's

In-Reply-To: <20041102120429.31300.qmail () mail securityfocus com>

Tony,

> Does anyone know of a tool or script that I can run against my windows
> servers to detect ip's connected to my servers that are out of my lan
range.
> Something easier than running netstat against each server individually?

Well, outside of running tcpdump/windump on the subnet with filters in
place, I'm not entirely clear on how you're going to get the info you want
without netstat.  The suggestion of using PortReporter would work, but for
the most part, I think it would really depend on how often you want
something like this.

One way to go about this would be to create a Perl script that used
psexec.exe from SysInternals.com to launch netstat.exe on a regular basis,
dumping the output to your local console (Perl would only have to be
installed on your console system).  Use Perl to parse through the netstat
output, automagically filtering out the stuff you don't want.

Another option, if you don't want "real-time", is to use the logs inherent
to the applications you've got on the servers.  I know the FTP and IIS logs
record IP addresses.

There are several ways to go about this, all depending upon what your
requirements are...

H. Carvey 
Windows Forensics and Incident Recovery
http://www.windows-ir.com
http://groups.yahoo.com/group/windowsir/

Attachment: smime.p7s
Description: