RE: Port Scanner Reports

From: Richard Zaluski (rzaluski@ivolution.ca)
Date: Wed Nov 02 2005 - 08:42:32 EST

I have done much the same thing using UNIX based tools such as nmap and the
diff command to footprint network services and compare reports. We scripted
it to notify us of any changes to the footprint files of the services on
subnets / servers we targeted to be part of the process.

We also used the same tool to monitor our router configurations, each day
for any changes. Each day our script would run and pull the previous config
file and compare it to the current configuration running on the router.

With a little imagination you can do a lot of things such as baseline
network services. We did find rogue services by the way.

It worked great ... Good luck Daniel, I'd be interested in seeing your final
product.

Richard Zaluski
CISO, Security and Infrastructure Services
iVOLUTION Technologies Incorporated
905.309.1911
866.601.4678
www.ivolution.ca
rzaluski@ivolution.ca

-----Original Message-----
From: Ian [mailto:pentest@fishnet.co.uk]
Sent: Tuesday, November 01, 2005 5:15 AM
To: pen-test@securityfocus.com
Subject: Re: Port Scanner Reports

On 30 Oct 2005 at 11:19, Daniel Miessler wrote:

<snip>

> A friend and I are writing a tool to do this right now; it's called
> netdiff, and if you'd like to be part of the test group, drop me an
> email. We're still coding it but should have something relatively
> shortly.
>
> The focus of our tool is finding both changed hosts *and* changed
> ports -- so if you have new systems pop up it'll show you, and if you
> have new ports pop up on existing systems, it'll show you those as
> well.

Hi Daniel,

Is it anything to do with this from Engarde?

http://ftp.engardelinux.org/pub/engarde/people/pax/netdiff/

<Quote>
NetDiff is a network reporting tool written in perl that runs nmap portscans
of a specified network
or networks and stores
the results to a MySQL database. It can then report the differences between
successive scans,
giving administrators a
snapshot view of recent changes on their network.
This report is very useful for network maintenance and monitoring, it will
automatically let you
know when:
o A new host is added to the network.
o A host is shut down or disconnected from the network.
o A service has stopped running.
o A new service port has been opened.
Additionally, if version and OS scanning is enabled, the report will list
those differences as well,
telling you if:
o A server daemon was upgraded or patched.
o The hostīs operating system was upgraded or changed.
</Quote>

Regards

Ian 

-- 
----------------------------------------------------------------------------
--
Audit your website security with Acunetix Web Vulnerability Scanner: 
Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for
vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers
do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
----------------------------------------------------------------------------
---
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 
Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:07 EDT