RE: Port Scanner Reports

["Richard Zaluski" <rzaluski () ivolution ca>]

I have done much the same thing using UNIX based tools such as nmap and the
diff command to footprint network services and compare reports.  We scripted
it to notify us of any changes to the footprint files of the services on
subnets / servers we targeted to be part of the process.

We also used the same tool to monitor our router configurations, each day
for any changes. Each day our script would run and pull the previous config
file and compare it to the current configuration running on the router.

With a little imagination you can do a lot of things such as baseline
network services.  We did find rogue services by the way.

It worked great ... Good luck Daniel, I'd be interested in seeing your final
product.

Richard Zaluski
CISO, Security and Infrastructure Services 
iVOLUTION  Technologies Incorporated
905.309.1911
866.601.4678
www.ivolution.ca
rzaluski () ivolution ca

-----Original Message-----
From: Ian [mailto:pentest () fishnet co uk] 
Sent: Tuesday, November 01, 2005 5:15 AM
To: pen-test () securityfocus com
Subject: Re: Port Scanner Reports

On 30 Oct 2005 at 11:19, Daniel Miessler wrote:

<snip>

> A friend and I are writing a tool to do this right now; it's called 
> netdiff, and if you'd like to be part of the test group, drop me an 
> email. We're still coding it but should have something relatively 
> shortly.
>
> The focus of our tool is finding both changed hosts *and* changed 
> ports -- so if you have new systems pop up it'll show you, and if you 
> have new ports pop up on existing systems, it'll show you those as
> well.

Hi Daniel,

Is it anything to do with this from Engarde?

http://ftp.engardelinux.org/pub/engarde/people/pax/netdiff/

<Quote>
NetDiff is a network reporting tool written in perl that runs nmap portscans
of a specified network 
or networks and stores
the results to a MySQL database. It can then report the differences between
successive scans, 
giving administrators a
snapshot view of recent changes on their network.
This report is very useful for network maintenance and monitoring, it will
automatically let you 
know when:
o A new host is added to the network.
o A host is shut down or disconnected from the network.
o A service has stopped running.
o A new service port has been opened.
Additionally, if version and OS scanning is enabled, the report will list
those differences as well, 
telling you if:
o A server daemon was upgraded or patched.
o The host´s operating system was upgraded or changed.
</Quote>

Regards

Ian
-- 


----------------------------------------------------------------------------
--
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are

futile against web application hacking. Check your website for
vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers
do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
----------------------------------------------------------------------------
---




------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------