Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Tracking a IP distination on solaris 9

Posted on 2004-09-09
15
Medium Priority
?
361 Views
Last Modified: 2013-12-27
Hi,

Any idea to tracking a incomming IP on solaris 9 ?

Thanks
K.T.Chan
0
Comment
Question by:ktchanhelp
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 3
  • +1
15 Comments
 
LVL 40

Expert Comment

by:jlevie
ID: 12019511
What information are you after?
0
 

Author Comment

by:ktchanhelp
ID: 12019548
Hi,

I need to keep tracking a incomming ip come from which area, also from what time to what time, also what services is using ?

Thanks
k.T.Chan
0
 
LVL 40

Expert Comment

by:jlevie
ID: 12020213
A sniffer trace on that IP would yield that information. It might be difficult to tell exactly what the remote user is doing, but you would be able to see what services they use by port numbers.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:ktchanhelp
ID: 12020235
hi,

what is step to do it on solaris 9

Thanks
K.T.Chan
0
 
LVL 40

Expert Comment

by:jlevie
ID: 12020391
As root 'snoop host IP' will work. There are a number of other things you can do with snoop (capture to a file, facier filters, etc). See 'man snoop' for details.
0
 
LVL 18

Expert Comment

by:liddler
ID: 12024515
for simple things like ftp & telnet that are spawned from inet, run inetd -s -t and this will log to /var/adm/messages
0
 

Author Comment

by:ktchanhelp
ID: 12026353
Hi,

How to log og a ip on a system ?

Thanks
K.T.Chan
0
 
LVL 18

Expert Comment

by:liddler
ID: 12033269
As jlevie says use snoop then  redirected all traffic to a log, then use awk / sed / cut to parse the log file
or
use inetd -s -t for traffic inbound via inet
or
look at the command last for logins
or
install the sun firewall sunscreen, this will prevent any other than authorised inbound connections and has an 'ok' logging system.

Can you explain exactly what youwant if none of the above help?
0
 
LVL 10

Expert Comment

by:Nukfror
ID: 12037960
Take a look at snort and add on SnortSnarf to it.

Also take a look at ntop which have various graphs shows "traffic" under which you can indicate to watch specific IPs.
0
 

Author Comment

by:ktchanhelp
ID: 12043094
Hi,

The  snort and add on SnortSnarf is a solution i find, any step guide me to install on solaris 9 64 bits ?

Thanks
K.T.Chan
0
 
LVL 10

Expert Comment

by:Nukfror
ID: 12045131
Its not hard - kinda teadious though.  Snort is nothing more then a packet sniffer.  SnortSnarf just reading snort packet dumps.  Now that I thinking about it, if you are using looking to pin a down what a specific IP address is doing. Snort/SnortSnarf might be overkill but should work fine.  NTOP might probably be a better solution.

But anyway, my Snort/SnortSnarf config is currently shutdown - moved from TX to VA and haven't gone back to get it working again.  I keep meaning to set this back up.

I had two machine involved:

- One doing the snort collecting.  I got the most current rules from snort.org and ran snort against those.  You can setup your own rules if you wish to watch for specific things.  This was an OpenBSD server which no longer exists :( - hardware finally died on me.  My switch was configured to setup a I-can't-remember-what-its-called port that has all traffic for a specific VLAN getting pushed to it.  This OpenBSD server was pulled into that interface.  Installing Snort is easy - simply install the package.  Then goto snort.org and gets the latest rules configuration files.
- The other server did the snortsnarf'ing - this was behind my firewall.  It pulled the snort logs from the snort server over using rsync and chewed on them.  The following crontab entries were used to generated the SnortSnarf web pages:

###################################################
#
# Run snortsnarf.ksh to generate SnortSnarf report
#
##0,15,30,45 1-23 * * * /usr/local/scripts/snortsnarf.ksh 1>/dev/null 2>&1
##30 1 * * * /usr/local/scripts/snortsnarf.ksh DIRSCAN
#
# Delete any directory at the level of:
#    /usr/local/www/docroot-secure/pentover/snort-daily-reports
# that is 30+ days old.  Stuff in:
#    /usr/local/www/docroot-secure/pentover/snort-daily
# will get deleted because OpenBSD is doing same thing on its side and
# pushing via rsync the directory with --delete enabled.  So files
# automagically get deleted on Solaris side.
#
##0 2 * * * find /usr/local/www/docroot-secure/pentover/snort-daily-reports -name "2*-snortsnarf" -type d -mtime +30 -exec rm -rf {} \;

/usr/local/scripts/snortsnarf.ksh looks like this:

#!/bin/ksh

if [ "${1}" = "DIRSCAN" ]; then

   cd /usr/local/snortsnarf
   DATA_PATH=/usr/local/apache/htdocs-secure/pentover/snort-daily
   REPORT_PATH=/usr/local/apache/htdocs-secure/pentover/snort-daily-reports
   #
   # While not specifically looking for this, the egrep below should be
   # parsing for dates in format of YYYYMMDD.
   #
   for DIR in $( ls -1 ${DATA_PATH} | egrep "^20.*[0-9]$" )
   do

      if [ -f ${REPORT_PATH}/${DIR}-snortsnarf/index.html ]; then
         :
      else
         cd ${DATA_PATH}/${DIR}
         HTML_PATH=${REPORT_PATH}/${DIR}-snortsnarf
         URL_PATH=https://chivas.oneill.dhs.org/pentover/snort-daily-reports/${DIR}-snortsnarf
         RULES_FILE=${DATA_PATH}/${DIR}/snort.conf
         ALERT_FILE=${DATA_PATH}/${DIR}/alert
         PORTSCAN_FILE=${DATA_PATH}/${DIR}/portscan
         /usr/local/bin/perl /usr/local/snortsnarf/snortsnarf.pl -d ${HTML_PATH} -ldir ${URL_PATH} -color=rotate -rulesfile ${RULES_FILE} ${ALERT_FILE} ${PORTSCAN_FILE}
      fi
   done

else

   cd /usr/local/snortsnarf

   /usr/local/bin/perl /usr/local/snortsnarf/snortsnarf.pl -d /usr/local/apache/htdocs-secure/pentover/snort-snarf -ldir https://chivas.oneill.dhs.org/pentover/snort -color=rotate -rulesfile /usr/local/apache/htdocs-secure/pentover/snort/snort.conf -rulesdir /usr/local/apache/htdocs-secure/pentover/snort /usr/local/apache/htdocs-secure/pentover/snort/alert /usr/local/apache/htdocs-secure/pentover/snort/portscan

fi

The /usr/local/snortsnarf directory contains the snortsnarf package.  I know this is kinda *NOT HELPFUL* but it might be you started on the concept of setting up Snort/SnortSnarf.
0
 
LVL 10

Expert Comment

by:Nukfror
ID: 12045167
Oh one more thing.  If you look at my script that creates the SnortSnarf logs, snortsnarf needs to see the rules that were used to generate the Snort output logs.  So on the OpenBSD server, I always copied the snort rules used into the directory that was rsync'd over to my Solaris server.  
0
 

Author Comment

by:ktchanhelp
ID: 12052702
Hi,

I try to install a ntop, but facing a below problem
# ntop
Tue Sep 14 17:42:36 2004  ntop will be started as user nobody
Tue Sep 14 17:42:36 2004  ntop v.3.0 SourceForge .tgz MT (SSL)
Tue Sep 14 17:42:36 2004  Configured on Jun 15 2004  3:24:59, built on Jun 15 2004 03:27:44.
Tue Sep 14 17:42:36 2004  Copyright 1998-2004 by Luca Deri <deri@ntop.org>
Tue Sep 14 17:42:36 2004  Get the freshest ntop from http://www.ntop.org/
Tue Sep 14 17:42:36 2004  Initializing ntop
Tue Sep 14 17:42:36 2004  Checking hme0 for additional devices
Tue Sep 14 17:42:36 2004  Resetting traffic statistics for device hme0
Tue Sep 14 17:42:36 2004  DLT: Device 0 [hme0] is 1, mtu 1514, header 14
Tue Sep 14 17:42:36 2004  Initializing gdbm databases
Tue Sep 14 17:42:36 2004  Now running as requested user 'nobody' (60001:60001)
Tue Sep 14 17:42:36 2004  **FATAL_ERROR** ....open of /usr/local/var/ntop/prefsCache.db failed: File write error
Tue Sep 14 17:42:36 2004  1. Is another instance of ntop running?
Tue Sep 14 17:42:36 2004  2. Make sure that the use you specified can write in the target directory

Thanks
K.T.Chan
0
 

Author Comment

by:ktchanhelp
ID: 12055902
Hi,

Above problem, I already solve, by the way when I start a ntop. my just stop in a prompt. any I can't use my browse to access nTop.

Pls advice ?

Thanks
K.T.Chan
0
 
LVL 10

Accepted Solution

by:
Nukfror earned 1000 total points
ID: 12058479
Not sure what you mean ... so you fixed the file permissions issue right ?

Not sure what you mean by "by the way when I start a ntop. my just stop in a prompt. any I can't use my browse to access nTop."
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In tuning file systems on the Solaris Operating System, changing some parameters of a file system usually destroys the data on it. For instance, changing the cache segment block size in the volume of a T3 requires that you delete the existing volu…
Installing FreeBSD… FreeBSD is a darling of an operating system. The stability and usability make it a clear choice for servers and desktops (for the cunning). Savvy?  The Ports collection makes available every popular FOSS application and packag…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question