Using Nmap-Parser to check for suspicioius new services

((no less 'of'; my $self) Using multiple instances of Nmap::Parser is extremely useful in helping audit/monitor the network Policy (ohh noo! its that ‘P’ word!). In this example, we have a set of hosts that had been scanned previously for tcp services where the image was saved in base_image.xml. We now will scan the same hosts, and compare if any new tcp have been open since then (good way to look for suspicious new services). Easy security Compliance detection. (ooh noo! The ‘C’ word too!).

use Nmap::Parser;
 use vars qw($nmap_exe $nmap_args @ips);
 my $base = new Nmap::Parser;
 my $curr = new Nmap::Parser;

 $base->parsefile('base_image.xml'); #load previous state
 $curr->parsescan($nmap_exe, $nmap_args, @ips); #scan current hosts

 for my $ip ($curr->get_ips ) 
 {
        #assume that IPs in base == IPs in curr scan
        my $ip_base = $base->get_host($ip);
        my $ip_curr = $curr->get_host($ip);
        my %port = ();

        #find ports that are open that were not open before
        #by finding the difference in port lists
        my @diff =  grep { $port{$_} < 2} 
                   (map {$port{$_}++; $_} 
                   ( $ip_curr->tcp_open_ports , 
                     $ip_base->tcp_open_ports ));

        print "$ip has these new ports open: ".join(',',@diff) 
                 if(scalar @diff);

        for (@diff){
                   print "$_ seems to be ",
                            $ip_curr->tcp_service($_)->name,
                   "\n";
}

 }
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s