Chapter 9. Tool: Network Monitor
In the realm of cybersecurity, early detection of adversarial activity is key to remediating it. One such detection technique is to monitor your network for new or unexpected network services (i.e., open ports). This can be accomplished entirely by using the command line.
In this chapter, we create a tool to monitor for changes in open ports on systems throughout a network. Requirements for the tool are as follows:
-
Read in a file containing IP addresses or hostnames.
-
For each host in the file, perform a network port scan to determine open ports.
-
Save the port scan output to a file that will be named using the current date.
-
When the script is run again, it will perform the port scan and then compare the results to the last-saved result and highlight any changes to the screen.
-
Automate the script to run on a daily basis and email the system administrator if any changes occur.
Note
This can also be accomplished using the Nmap Ndiff utility, but for instructional purposes, we are implementing the functionality by using bash. For more information on Ndiff, see the Ndiff page at nmap.org.
Commands in Use
In this chapter, we introduce the crontab and schtasks commands.
crontab
The crontab command allows you to edit the cron table on a Linux system. The cron table is used to schedule tasks to run commands at a particular time or interval.
Common command options
- -e
-
Edit the cron table
- -l
-
List the current cron table
- -r
-
Remove the current ...
Get Cybersecurity Ops with bash now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
