Re: Re^3: Low Level Network Connections

OK... I need to explain why I am doing this, I think this will help everyone out.

Background-
Our current hosting platform is hosted and maintained internally. We recently extended our hosting platform/WAN to all locations, which makes 9 unique IP blocks - each with their own router and firewalls (2). Our admins and operations group is known for throwing out servers (Unreal, ftp etc.) without running them through security or architecture.
Problem-
In order to monitor this, our security policy was amended to clearly outlaw this type of activity. The controls are from diverse groups (Security & Architecture). Security is to monitor the internally managed IP blocks for any host that responds on any port, includng non-standard ports from an external source. That means this script needs to scan every possible host on every possible port (including non-standard) on a scheduled basis, noting any deviations from the controlled baseline.

I was able to run a scan using a tool called IP-Tools on a single block and maintain the baseline without much hassle. However, this tool took 1.5 hours on a dial-up connection.
Given that the number of connects across our new block with all ports is 39714210, you can see that if I can reduce the communication traffic from 7 to 3 frames, that would be a significant decrease in processing time and network traffic.
I tested NMAP, however am not an expert. I did see, however, that my configuration scanned 2503 ports, I need to scan 65K.
I did, however, find a piece of C code that does a syn scan and think that I can extend it to do what I need it to do, however, would rather use PERL.

Edit by myocom: Removed superfluous code tags and fixed formatting

Comment on Re: Re^3: Low Level Network Connections

Replies are listed 'Best First'.
Re^5: Low Level Network Connections by tadman (Prior) on Mar 05, 2002 at 18:14 UTC
What you are probably seeing is that NMAP is only scanning "popular" ports by default. You can tell it to scan everything if you want by using the -p option, such as: `% nmap 1.2.3.0/24 -p1-65535` Since people don't normally run "interesting" services on most ports, they aren't scanned by default. If you have control over the upstream, as in, all the WAN connections funnel through a single connection to the Internet, you might want to use libpcap to tally up traffic and look for this kind of thing. With a bit of effort, you could probably configure Snort to do the job of looking for "unauthorized" servers, provided you can express that sort of thing in the config file. Perl might help here, to generate the rules text. Snort is actually better because if the deviants on your network discover how you are ratting them out, they could get clever and block your IP. When you scan them, everything could look OK, but in fact they are merrily running a 32 player Unreal server shielded from view. If the traffic is on the network, Snort can find it. In a switched environment you just need RMON support, but virtually every switch supports this for diagnostics. Either way, once you get your raw data from NMAP, or Snort, or even Perl itself, the next step is to turn it into useful reports, no?	[reply] [d/l]

Replies are listed 'Best First'.

Re^5: Low Level Network Connections
by tadman (Prior) on Mar 05, 2002 at 18:14 UTC

% nmap 1.2.3.0/24 -p1-65535

Snort

[reply]
[d/l]