To be honest I didn't do a thorough google search, but a simple search didn't get me something simple, free and open source, so I decided to make one of my own.
The premises were:
1. If the software suddenly stops, there shouldn't be half a port scan in the database, that would create wrong alerts.
2. If the software suddenly stops, next time it should keep scanning the previous IP and keep the same order.
3. It must be possible to add new IPs, without restarting the software, without the hassle of connecting to the Database.
4. Every scan detail must be stored.
The premises are quite simple.
This script can be used by companies that want to continually audit and monitor they public IPs. They can cross data with tickets or with configuration management.
It can be also be used by consultants, so they can monitor their clients networks. And of course it can be used by attackers or people looking for entry points to look for vulnerabilities for a bug bounty.
I used ruby language, with the library "ruby-nmap" to manage nmap scans.
Every scan has an xml output that is stored in the output folder.
The script is very simple, and probably not very beautiful so it's easy to modify (I believe).
The code is here.
Considerations:
1. It's better to use an external server for the scanning, to be sure that there aren't odd firewall rules that show different results. An example would be an EC2 instance.
2. If you have an IPS and/or a firewall with IPS features, make sure to add the scanner IP in the white list.
3. Nmap is ran with its default Timing settings (-T3), using more aggressive timings can introduce false positives.
4. By default it scans ports: 1-65535.
Limitations:
1. Right now, it just scans 1 IP at a time, so if your pool of IP is very big, it can take a long time to do a full cycle.
2. The tool reports just port state changes, not if the software banner or fingerprint changed, this is in order to simplify and reduce false positives.
3. Output files are stored in the folder "xml", with time this folder can get very big.
4. Log files are in the "log" folder, and they are rotated daily.
How to make it work:
This code was ran with Ruby 2.1.2 at Ubuntu 14.04
The Library for using nmap is:
https://github.com/sophsec/ruby-nmap
These are the required dependencies
sudo apt-get install mysql-server mysql-client sudo apt-get install libmysqlclient-dev sudo apt-get install nmap sudo apt-get install zlib1g-dev gem install rprogram gem install nokogiri gem install ruby-nmap gem install dbi gem install mysql gem install dbd-mysql gem install mandrill-api gem install mail
After ruby is working, you must create a database with the file database.sql
Before running the script you need to configure:
1. the database name, IP (usually localhost), username, and password. Line
2. e-mail settings, "from@gmail.com" (Line 246).
3. if you want to send e-mails with mandrill you need to get an api-key and replace it where it says 'madrill-api-key' (Line 146)
You will also need to change parameters for e-mail
Someday I'll include a config file, in order to make this easier.
As nmap needs high privileges, you need to run the script with sudo.
sudo ruby port_monitor.rb
Logs are rotated daily, but XML files will pile up with time.
log/activity.log - everything is logged
log/diff.log - just logs port status changes
In hosts.txt you can add new IPs, one IP per line. CIDR notation or any notation is not supported.
After a scan finishes, the script will process the hosts.txt file and rename it hosts.txt.processed.
Let me know if it works, and if there any thing you would change or add.
No comments:
Post a Comment