Solved

Tracking a IP distination on solaris 9

Posted on 2004-09-09
15
345 Views
Last Modified: 2013-12-27
Hi,

Any idea to tracking a incomming IP on solaris 9 ?

Thanks
K.T.Chan
0
Comment
Question by:ktchanhelp
  • 6
  • 4
  • 3
  • +1
15 Comments
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
What information are you after?
0
 

Author Comment

by:ktchanhelp
Comment Utility
Hi,

I need to keep tracking a incomming ip come from which area, also from what time to what time, also what services is using ?

Thanks
k.T.Chan
0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
A sniffer trace on that IP would yield that information. It might be difficult to tell exactly what the remote user is doing, but you would be able to see what services they use by port numbers.
0
 

Author Comment

by:ktchanhelp
Comment Utility
hi,

what is step to do it on solaris 9

Thanks
K.T.Chan
0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
As root 'snoop host IP' will work. There are a number of other things you can do with snoop (capture to a file, facier filters, etc). See 'man snoop' for details.
0
 
LVL 18

Expert Comment

by:liddler
Comment Utility
for simple things like ftp & telnet that are spawned from inet, run inetd -s -t and this will log to /var/adm/messages
0
 

Author Comment

by:ktchanhelp
Comment Utility
Hi,

How to log og a ip on a system ?

Thanks
K.T.Chan
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 18

Expert Comment

by:liddler
Comment Utility
As jlevie says use snoop then  redirected all traffic to a log, then use awk / sed / cut to parse the log file
or
use inetd -s -t for traffic inbound via inet
or
look at the command last for logins
or
install the sun firewall sunscreen, this will prevent any other than authorised inbound connections and has an 'ok' logging system.

Can you explain exactly what youwant if none of the above help?
0
 
LVL 10

Expert Comment

by:Nukfror
Comment Utility
Take a look at snort and add on SnortSnarf to it.

Also take a look at ntop which have various graphs shows "traffic" under which you can indicate to watch specific IPs.
0
 

Author Comment

by:ktchanhelp
Comment Utility
Hi,

The  snort and add on SnortSnarf is a solution i find, any step guide me to install on solaris 9 64 bits ?

Thanks
K.T.Chan
0
 
LVL 10

Expert Comment

by:Nukfror
Comment Utility
Its not hard - kinda teadious though.  Snort is nothing more then a packet sniffer.  SnortSnarf just reading snort packet dumps.  Now that I thinking about it, if you are using looking to pin a down what a specific IP address is doing. Snort/SnortSnarf might be overkill but should work fine.  NTOP might probably be a better solution.

But anyway, my Snort/SnortSnarf config is currently shutdown - moved from TX to VA and haven't gone back to get it working again.  I keep meaning to set this back up.

I had two machine involved:

- One doing the snort collecting.  I got the most current rules from snort.org and ran snort against those.  You can setup your own rules if you wish to watch for specific things.  This was an OpenBSD server which no longer exists :( - hardware finally died on me.  My switch was configured to setup a I-can't-remember-what-its-called port that has all traffic for a specific VLAN getting pushed to it.  This OpenBSD server was pulled into that interface.  Installing Snort is easy - simply install the package.  Then goto snort.org and gets the latest rules configuration files.
- The other server did the snortsnarf'ing - this was behind my firewall.  It pulled the snort logs from the snort server over using rsync and chewed on them.  The following crontab entries were used to generated the SnortSnarf web pages:

###################################################
#
# Run snortsnarf.ksh to generate SnortSnarf report
#
##0,15,30,45 1-23 * * * /usr/local/scripts/snortsnarf.ksh 1>/dev/null 2>&1
##30 1 * * * /usr/local/scripts/snortsnarf.ksh DIRSCAN
#
# Delete any directory at the level of:
#    /usr/local/www/docroot-secure/pentover/snort-daily-reports
# that is 30+ days old.  Stuff in:
#    /usr/local/www/docroot-secure/pentover/snort-daily
# will get deleted because OpenBSD is doing same thing on its side and
# pushing via rsync the directory with --delete enabled.  So files
# automagically get deleted on Solaris side.
#
##0 2 * * * find /usr/local/www/docroot-secure/pentover/snort-daily-reports -name "2*-snortsnarf" -type d -mtime +30 -exec rm -rf {} \;

/usr/local/scripts/snortsnarf.ksh looks like this:

#!/bin/ksh

if [ "${1}" = "DIRSCAN" ]; then

   cd /usr/local/snortsnarf
   DATA_PATH=/usr/local/apache/htdocs-secure/pentover/snort-daily
   REPORT_PATH=/usr/local/apache/htdocs-secure/pentover/snort-daily-reports
   #
   # While not specifically looking for this, the egrep below should be
   # parsing for dates in format of YYYYMMDD.
   #
   for DIR in $( ls -1 ${DATA_PATH} | egrep "^20.*[0-9]$" )
   do

      if [ -f ${REPORT_PATH}/${DIR}-snortsnarf/index.html ]; then
         :
      else
         cd ${DATA_PATH}/${DIR}
         HTML_PATH=${REPORT_PATH}/${DIR}-snortsnarf
         URL_PATH=https://chivas.oneill.dhs.org/pentover/snort-daily-reports/${DIR}-snortsnarf
         RULES_FILE=${DATA_PATH}/${DIR}/snort.conf
         ALERT_FILE=${DATA_PATH}/${DIR}/alert
         PORTSCAN_FILE=${DATA_PATH}/${DIR}/portscan
         /usr/local/bin/perl /usr/local/snortsnarf/snortsnarf.pl -d ${HTML_PATH} -ldir ${URL_PATH} -color=rotate -rulesfile ${RULES_FILE} ${ALERT_FILE} ${PORTSCAN_FILE}
      fi
   done

else

   cd /usr/local/snortsnarf

   /usr/local/bin/perl /usr/local/snortsnarf/snortsnarf.pl -d /usr/local/apache/htdocs-secure/pentover/snort-snarf -ldir https://chivas.oneill.dhs.org/pentover/snort -color=rotate -rulesfile /usr/local/apache/htdocs-secure/pentover/snort/snort.conf -rulesdir /usr/local/apache/htdocs-secure/pentover/snort /usr/local/apache/htdocs-secure/pentover/snort/alert /usr/local/apache/htdocs-secure/pentover/snort/portscan

fi

The /usr/local/snortsnarf directory contains the snortsnarf package.  I know this is kinda *NOT HELPFUL* but it might be you started on the concept of setting up Snort/SnortSnarf.
0
 
LVL 10

Expert Comment

by:Nukfror
Comment Utility
Oh one more thing.  If you look at my script that creates the SnortSnarf logs, snortsnarf needs to see the rules that were used to generate the Snort output logs.  So on the OpenBSD server, I always copied the snort rules used into the directory that was rsync'd over to my Solaris server.  
0
 

Author Comment

by:ktchanhelp
Comment Utility
Hi,

I try to install a ntop, but facing a below problem
# ntop
Tue Sep 14 17:42:36 2004  ntop will be started as user nobody
Tue Sep 14 17:42:36 2004  ntop v.3.0 SourceForge .tgz MT (SSL)
Tue Sep 14 17:42:36 2004  Configured on Jun 15 2004  3:24:59, built on Jun 15 2004 03:27:44.
Tue Sep 14 17:42:36 2004  Copyright 1998-2004 by Luca Deri <deri@ntop.org>
Tue Sep 14 17:42:36 2004  Get the freshest ntop from http://www.ntop.org/
Tue Sep 14 17:42:36 2004  Initializing ntop
Tue Sep 14 17:42:36 2004  Checking hme0 for additional devices
Tue Sep 14 17:42:36 2004  Resetting traffic statistics for device hme0
Tue Sep 14 17:42:36 2004  DLT: Device 0 [hme0] is 1, mtu 1514, header 14
Tue Sep 14 17:42:36 2004  Initializing gdbm databases
Tue Sep 14 17:42:36 2004  Now running as requested user 'nobody' (60001:60001)
Tue Sep 14 17:42:36 2004  **FATAL_ERROR** ....open of /usr/local/var/ntop/prefsCache.db failed: File write error
Tue Sep 14 17:42:36 2004  1. Is another instance of ntop running?
Tue Sep 14 17:42:36 2004  2. Make sure that the use you specified can write in the target directory

Thanks
K.T.Chan
0
 

Author Comment

by:ktchanhelp
Comment Utility
Hi,

Above problem, I already solve, by the way when I start a ntop. my just stop in a prompt. any I can't use my browse to access nTop.

Pls advice ?

Thanks
K.T.Chan
0
 
LVL 10

Accepted Solution

by:
Nukfror earned 250 total points
Comment Utility
Not sure what you mean ... so you fixed the file permissions issue right ?

Not sure what you mean by "by the way when I start a ntop. my just stop in a prompt. any I can't use my browse to access nTop."
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

A metadevice consists of one or more devices (slices). It can be expanded by adding slices. Then, it can be grown to fill a larger space while the file system is in use. However, not all UNIX file systems (UFS) can be expanded this way. The conca…
My previous tech tip, Installing the Solaris OS From the Flash Archive On a Tape (http://www.experts-exchange.com/articles/OS/Unix/Solaris/Installing-the-Solaris-OS-From-the-Flash-Archive-on-a-Tape.html), discussed installing the Solaris Operating S…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now