Re: Port watching tool

From: Jeff Lane (crash_at_pinehurst.net)
Date: 08/22/03

  • Next message: Schneider Sebastian: "Re: VPN Question"
    Date: Fri, 22 Aug 2003 16:58:32 -0400
    To: jeempc@ittoolbox.com, security-basics@securityfocus.com
    
    

    JThanks for the suggestions...

    The earlier suggestion of PortDetective.com is not what I was looking
    for... hope I wasnt too confusing! portdetective.com looks to me
    (without having installed their client side software that is not
    documented at all on their website (so I am hesitant to even install
    it)) looks like it is basicall a web based port scanner... I have nmap
    for that...

    Active Ports only shows one connection to port 25 (which I am trying to
    monitor) but netstat shows about 250 (about 50 show as ACTIVE, and the
    rest show as either TIME_WAIT or CLOSE_WAIT) and those are the ones that
    concern me...

    I am finding certain IPs (thanks I believe to the sobig virus) to be
    generating large numbers of SMTP connections to the server, and when I
    find them wiht netstat, they are mostly in one of hte wait states.

    So the idea was to have something alert me when there were more than X
    number of connections from any single IP or in any single state, and
    since I am not a programmer, I have little hope of doing that one on my
    own... <grin>

    good example, I am seeing three distinct IPs from AT&T blocks that have
    about 100 connections to port 25 on my mail server. most of these are
    in the TIME_WAIT or CLOSE_WAIT status.

    I had considering black-listing the individual IPs locally, but that may
    not be a good idea, since I may or may not be able to tell if these IPs
    are dynamically allocated or static...

    Jeff
    im Clare wrote:
    > ---------- Original Message ----------------------------------
    > From: Jeff Lane <crash@pinehurst.net>
    > Date: Fri, 22 Aug 2003 14:07:13 -0400
    >
    >
    >>Hello,
    >>
    >>I have just a simple question... I have been searching aroud the net for
    >>software to watch the ports on a Win2K machine but am not turning
    >>anything up that would be useful to me, so I thought I would ask here...
    >>
    >>Could someone point me to a tool that will or can do the following:
    >
    >
    >>A: monitor ports on a Win2K server
    >
    >
    > www.devhood.com/tools/tool_details.aspx?tool_id=515 download and install. It's a cool little free program that will do this.
    >
    >
    >>B: specifically monitor a certain port or range of ports
    >
    >
    > go to www.grc.com and run the shields up test.
    >
    >
    >
    >
    >

    -- 
    Jeffrey Lane, RHCE
    Systems Adminstrator
    ConnectNC, Inc
    DSL and Web hosting: http://www.connectnc.com
    List your child-related organization Online!  http://www.sandhillskids.com
    ---------------------------------------------------------------------------
    Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
    October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
    technical IT security event.  Modeled after the famous Black Hat event in 
    Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
    Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
    ----------------------------------------------------------------------------
    

  • Next message: Schneider Sebastian: "Re: VPN Question"

    Relevant Pages

    • Cisco IOS IPS issue
      ... connecting to an MPLS cloud with about 40 sites and on my Gi0/1 port I ... After enabling IPS on the Gi0/0 outbound interface, ... session thresholds are well below max connection limits. ... max-incomplete tcp connections per host is 100000. ...
      (comp.dcom.sys.cisco)
    • Re: ICMP port 2048 scans
      ... >sources asking for a connection to port 2048. ... The ICMP Protocol doesn't ... It took me some time to figure out these connections ... Symantec is the Diamond sponsor. ...
      (Incidents)
    • Outgoing connections to ports 22226 and 22227
      ... Over the past couple days I've noticed an increase in outgoing connections ... All outbound connections are triggered via inbound conections to port 139 ... Modeled after the famous Black Hat event in ... Symantec is the Diamond sponsor. ...
      (Incidents)
    • Re: Web server and Multiple Virtualhost
      ... unless you wanted them to listen only to specific IPs. ... Which means the localhost and LAN pays attention to connections to port ...
      (Fedora)
    • Re: Need help with bandwidth management . . .
      ... also be a good time to separate the wired from the wireless parts of ... wired connections. ... QoS lan port settings, and I cannot get anything consistent. ... switch ports and limit the bandwidth per port (the settings are ...
      (alt.internet.wireless)