Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Tracking a IP distination on solaris 9

Posted on 2004-09-09
15
351 Views
Last Modified: 2013-12-27
Hi,

Any idea to tracking a incomming IP on solaris 9 ?

Thanks
K.T.Chan
0
Comment
Question by:ktchanhelp
  • 6
  • 4
  • 3
  • +1
15 Comments
 
LVL 40

Expert Comment

by:jlevie
ID: 12019511
What information are you after?
0
 

Author Comment

by:ktchanhelp
ID: 12019548
Hi,

I need to keep tracking a incomming ip come from which area, also from what time to what time, also what services is using ?

Thanks
k.T.Chan
0
 
LVL 40

Expert Comment

by:jlevie
ID: 12020213
A sniffer trace on that IP would yield that information. It might be difficult to tell exactly what the remote user is doing, but you would be able to see what services they use by port numbers.
0
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 

Author Comment

by:ktchanhelp
ID: 12020235
hi,

what is step to do it on solaris 9

Thanks
K.T.Chan
0
 
LVL 40

Expert Comment

by:jlevie
ID: 12020391
As root 'snoop host IP' will work. There are a number of other things you can do with snoop (capture to a file, facier filters, etc). See 'man snoop' for details.
0
 
LVL 18

Expert Comment

by:liddler
ID: 12024515
for simple things like ftp & telnet that are spawned from inet, run inetd -s -t and this will log to /var/adm/messages
0
 

Author Comment

by:ktchanhelp
ID: 12026353
Hi,

How to log og a ip on a system ?

Thanks
K.T.Chan
0
 
LVL 18

Expert Comment

by:liddler
ID: 12033269
As jlevie says use snoop then  redirected all traffic to a log, then use awk / sed / cut to parse the log file
or
use inetd -s -t for traffic inbound via inet
or
look at the command last for logins
or
install the sun firewall sunscreen, this will prevent any other than authorised inbound connections and has an 'ok' logging system.

Can you explain exactly what youwant if none of the above help?
0
 
LVL 10

Expert Comment

by:Nukfror
ID: 12037960
Take a look at snort and add on SnortSnarf to it.

Also take a look at ntop which have various graphs shows "traffic" under which you can indicate to watch specific IPs.
0
 

Author Comment

by:ktchanhelp
ID: 12043094
Hi,

The  snort and add on SnortSnarf is a solution i find, any step guide me to install on solaris 9 64 bits ?

Thanks
K.T.Chan
0
 
LVL 10

Expert Comment

by:Nukfror
ID: 12045131
Its not hard - kinda teadious though.  Snort is nothing more then a packet sniffer.  SnortSnarf just reading snort packet dumps.  Now that I thinking about it, if you are using looking to pin a down what a specific IP address is doing. Snort/SnortSnarf might be overkill but should work fine.  NTOP might probably be a better solution.

But anyway, my Snort/SnortSnarf config is currently shutdown - moved from TX to VA and haven't gone back to get it working again.  I keep meaning to set this back up.

I had two machine involved:

- One doing the snort collecting.  I got the most current rules from snort.org and ran snort against those.  You can setup your own rules if you wish to watch for specific things.  This was an OpenBSD server which no longer exists :( - hardware finally died on me.  My switch was configured to setup a I-can't-remember-what-its-called port that has all traffic for a specific VLAN getting pushed to it.  This OpenBSD server was pulled into that interface.  Installing Snort is easy - simply install the package.  Then goto snort.org and gets the latest rules configuration files.
- The other server did the snortsnarf'ing - this was behind my firewall.  It pulled the snort logs from the snort server over using rsync and chewed on them.  The following crontab entries were used to generated the SnortSnarf web pages:

###################################################
#
# Run snortsnarf.ksh to generate SnortSnarf report
#
##0,15,30,45 1-23 * * * /usr/local/scripts/snortsnarf.ksh 1>/dev/null 2>&1
##30 1 * * * /usr/local/scripts/snortsnarf.ksh DIRSCAN
#
# Delete any directory at the level of:
#    /usr/local/www/docroot-secure/pentover/snort-daily-reports
# that is 30+ days old.  Stuff in:
#    /usr/local/www/docroot-secure/pentover/snort-daily
# will get deleted because OpenBSD is doing same thing on its side and
# pushing via rsync the directory with --delete enabled.  So files
# automagically get deleted on Solaris side.
#
##0 2 * * * find /usr/local/www/docroot-secure/pentover/snort-daily-reports -name "2*-snortsnarf" -type d -mtime +30 -exec rm -rf {} \;

/usr/local/scripts/snortsnarf.ksh looks like this:

#!/bin/ksh

if [ "${1}" = "DIRSCAN" ]; then

   cd /usr/local/snortsnarf
   DATA_PATH=/usr/local/apache/htdocs-secure/pentover/snort-daily
   REPORT_PATH=/usr/local/apache/htdocs-secure/pentover/snort-daily-reports
   #
   # While not specifically looking for this, the egrep below should be
   # parsing for dates in format of YYYYMMDD.
   #
   for DIR in $( ls -1 ${DATA_PATH} | egrep "^20.*[0-9]$" )
   do

      if [ -f ${REPORT_PATH}/${DIR}-snortsnarf/index.html ]; then
         :
      else
         cd ${DATA_PATH}/${DIR}
         HTML_PATH=${REPORT_PATH}/${DIR}-snortsnarf
         URL_PATH=https://chivas.oneill.dhs.org/pentover/snort-daily-reports/${DIR}-snortsnarf
         RULES_FILE=${DATA_PATH}/${DIR}/snort.conf
         ALERT_FILE=${DATA_PATH}/${DIR}/alert
         PORTSCAN_FILE=${DATA_PATH}/${DIR}/portscan
         /usr/local/bin/perl /usr/local/snortsnarf/snortsnarf.pl -d ${HTML_PATH} -ldir ${URL_PATH} -color=rotate -rulesfile ${RULES_FILE} ${ALERT_FILE} ${PORTSCAN_FILE}
      fi
   done

else

   cd /usr/local/snortsnarf

   /usr/local/bin/perl /usr/local/snortsnarf/snortsnarf.pl -d /usr/local/apache/htdocs-secure/pentover/snort-snarf -ldir https://chivas.oneill.dhs.org/pentover/snort -color=rotate -rulesfile /usr/local/apache/htdocs-secure/pentover/snort/snort.conf -rulesdir /usr/local/apache/htdocs-secure/pentover/snort /usr/local/apache/htdocs-secure/pentover/snort/alert /usr/local/apache/htdocs-secure/pentover/snort/portscan

fi

The /usr/local/snortsnarf directory contains the snortsnarf package.  I know this is kinda *NOT HELPFUL* but it might be you started on the concept of setting up Snort/SnortSnarf.
0
 
LVL 10

Expert Comment

by:Nukfror
ID: 12045167
Oh one more thing.  If you look at my script that creates the SnortSnarf logs, snortsnarf needs to see the rules that were used to generate the Snort output logs.  So on the OpenBSD server, I always copied the snort rules used into the directory that was rsync'd over to my Solaris server.  
0
 

Author Comment

by:ktchanhelp
ID: 12052702
Hi,

I try to install a ntop, but facing a below problem
# ntop
Tue Sep 14 17:42:36 2004  ntop will be started as user nobody
Tue Sep 14 17:42:36 2004  ntop v.3.0 SourceForge .tgz MT (SSL)
Tue Sep 14 17:42:36 2004  Configured on Jun 15 2004  3:24:59, built on Jun 15 2004 03:27:44.
Tue Sep 14 17:42:36 2004  Copyright 1998-2004 by Luca Deri <deri@ntop.org>
Tue Sep 14 17:42:36 2004  Get the freshest ntop from http://www.ntop.org/
Tue Sep 14 17:42:36 2004  Initializing ntop
Tue Sep 14 17:42:36 2004  Checking hme0 for additional devices
Tue Sep 14 17:42:36 2004  Resetting traffic statistics for device hme0
Tue Sep 14 17:42:36 2004  DLT: Device 0 [hme0] is 1, mtu 1514, header 14
Tue Sep 14 17:42:36 2004  Initializing gdbm databases
Tue Sep 14 17:42:36 2004  Now running as requested user 'nobody' (60001:60001)
Tue Sep 14 17:42:36 2004  **FATAL_ERROR** ....open of /usr/local/var/ntop/prefsCache.db failed: File write error
Tue Sep 14 17:42:36 2004  1. Is another instance of ntop running?
Tue Sep 14 17:42:36 2004  2. Make sure that the use you specified can write in the target directory

Thanks
K.T.Chan
0
 

Author Comment

by:ktchanhelp
ID: 12055902
Hi,

Above problem, I already solve, by the way when I start a ntop. my just stop in a prompt. any I can't use my browse to access nTop.

Pls advice ?

Thanks
K.T.Chan
0
 
LVL 10

Accepted Solution

by:
Nukfror earned 250 total points
ID: 12058479
Not sure what you mean ... so you fixed the file permissions issue right ?

Not sure what you mean by "by the way when I start a ntop. my just stop in a prompt. any I can't use my browse to access nTop."
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

My previous tech tip, Installing the Solaris OS From the Flash Archive On a Tape (http://www.experts-exchange.com/articles/OS/Unix/Solaris/Installing-the-Solaris-OS-From-the-Flash-Archive-on-a-Tape.html), discussed installing the Solaris Operating S…
Java performance on Solaris - Managing CPUs There are various resource controls in operating system which directly/indirectly influence the performance of application. one of the most important resource controls is "CPU".   In a multithreaded…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question