Monthly Archives: November 2004

Using Nmap-Parser to check for suspicioius new services

((no less 'of'; my $self) Using multiple instances of Nmap::Parser is extremely useful in helping audit/monitor the network Policy (ohh noo! its that ‘P’ word!). In this example, we have a set of hosts that had been scanned previously for tcp services where the image was saved in base_image.xml. We now will scan the same hosts, and compare if any new tcp have been open since then (good way to look for suspicious new services). Easy security Compliance detection. (ooh noo! The ‘C’ word too!).

use Nmap::Parser;
 use vars qw($nmap_exe $nmap_args @ips);
 my $base = new Nmap::Parser;
 my $curr = new Nmap::Parser;

 $base->parsefile('base_image.xml'); #load previous state
 $curr->parsescan($nmap_exe, $nmap_args, @ips); #scan current hosts

 for my $ip ($curr->get_ips ) 
 {
        #assume that IPs in base == IPs in curr scan
        my $ip_base = $base->get_host($ip);
        my $ip_curr = $curr->get_host($ip);
        my %port = ();

        #find ports that are open that were not open before
        #by finding the difference in port lists
        my @diff =  grep { $port{$_} < 2} 
                   (map {$port{$_}++; $_} 
                   ( $ip_curr->tcp_open_ports , 
                     $ip_base->tcp_open_ports ));

        print "$ip has these new ports open: ".join(',',@diff) 
                 if(scalar @diff);

        for (@diff){
                   print "$_ seems to be ",
                            $ip_curr->tcp_service($_)->name,
                   "\n";
}

 }