Tracking a IP distination on solaris 9

Hi,

Any idea to tracking a incomming IP on solaris 9 ?

Thanks
K.T.Chan
ktchanhelpAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
NukfrorConnect With a Mentor Commented:
Not sure what you mean ... so you fixed the file permissions issue right ?

Not sure what you mean by "by the way when I start a ntop. my just stop in a prompt. any I can't use my browse to access nTop."
0
 
jlevieCommented:
What information are you after?
0
 
ktchanhelpAuthor Commented:
Hi,

I need to keep tracking a incomming ip come from which area, also from what time to what time, also what services is using ?

Thanks
k.T.Chan
0
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

 
jlevieCommented:
A sniffer trace on that IP would yield that information. It might be difficult to tell exactly what the remote user is doing, but you would be able to see what services they use by port numbers.
0
 
ktchanhelpAuthor Commented:
hi,

what is step to do it on solaris 9

Thanks
K.T.Chan
0
 
jlevieCommented:
As root 'snoop host IP' will work. There are a number of other things you can do with snoop (capture to a file, facier filters, etc). See 'man snoop' for details.
0
 
liddlerCommented:
for simple things like ftp & telnet that are spawned from inet, run inetd -s -t and this will log to /var/adm/messages
0
 
ktchanhelpAuthor Commented:
Hi,

How to log og a ip on a system ?

Thanks
K.T.Chan
0
 
liddlerCommented:
As jlevie says use snoop then  redirected all traffic to a log, then use awk / sed / cut to parse the log file
or
use inetd -s -t for traffic inbound via inet
or
look at the command last for logins
or
install the sun firewall sunscreen, this will prevent any other than authorised inbound connections and has an 'ok' logging system.

Can you explain exactly what youwant if none of the above help?
0
 
NukfrorCommented:
Take a look at snort and add on SnortSnarf to it.

Also take a look at ntop which have various graphs shows "traffic" under which you can indicate to watch specific IPs.
0
 
ktchanhelpAuthor Commented:
Hi,

The  snort and add on SnortSnarf is a solution i find, any step guide me to install on solaris 9 64 bits ?

Thanks
K.T.Chan
0
 
NukfrorCommented:
Its not hard - kinda teadious though.  Snort is nothing more then a packet sniffer.  SnortSnarf just reading snort packet dumps.  Now that I thinking about it, if you are using looking to pin a down what a specific IP address is doing. Snort/SnortSnarf might be overkill but should work fine.  NTOP might probably be a better solution.

But anyway, my Snort/SnortSnarf config is currently shutdown - moved from TX to VA and haven't gone back to get it working again.  I keep meaning to set this back up.

I had two machine involved:

- One doing the snort collecting.  I got the most current rules from snort.org and ran snort against those.  You can setup your own rules if you wish to watch for specific things.  This was an OpenBSD server which no longer exists :( - hardware finally died on me.  My switch was configured to setup a I-can't-remember-what-its-called port that has all traffic for a specific VLAN getting pushed to it.  This OpenBSD server was pulled into that interface.  Installing Snort is easy - simply install the package.  Then goto snort.org and gets the latest rules configuration files.
- The other server did the snortsnarf'ing - this was behind my firewall.  It pulled the snort logs from the snort server over using rsync and chewed on them.  The following crontab entries were used to generated the SnortSnarf web pages:

###################################################
#
# Run snortsnarf.ksh to generate SnortSnarf report
#
##0,15,30,45 1-23 * * * /usr/local/scripts/snortsnarf.ksh 1>/dev/null 2>&1
##30 1 * * * /usr/local/scripts/snortsnarf.ksh DIRSCAN
#
# Delete any directory at the level of:
#    /usr/local/www/docroot-secure/pentover/snort-daily-reports
# that is 30+ days old.  Stuff in:
#    /usr/local/www/docroot-secure/pentover/snort-daily
# will get deleted because OpenBSD is doing same thing on its side and
# pushing via rsync the directory with --delete enabled.  So files
# automagically get deleted on Solaris side.
#
##0 2 * * * find /usr/local/www/docroot-secure/pentover/snort-daily-reports -name "2*-snortsnarf" -type d -mtime +30 -exec rm -rf {} \;

/usr/local/scripts/snortsnarf.ksh looks like this:

#!/bin/ksh

if [ "${1}" = "DIRSCAN" ]; then

   cd /usr/local/snortsnarf
   DATA_PATH=/usr/local/apache/htdocs-secure/pentover/snort-daily
   REPORT_PATH=/usr/local/apache/htdocs-secure/pentover/snort-daily-reports
   #
   # While not specifically looking for this, the egrep below should be
   # parsing for dates in format of YYYYMMDD.
   #
   for DIR in $( ls -1 ${DATA_PATH} | egrep "^20.*[0-9]$" )
   do

      if [ -f ${REPORT_PATH}/${DIR}-snortsnarf/index.html ]; then
         :
      else
         cd ${DATA_PATH}/${DIR}
         HTML_PATH=${REPORT_PATH}/${DIR}-snortsnarf
         URL_PATH=https://chivas.oneill.dhs.org/pentover/snort-daily-reports/${DIR}-snortsnarf
         RULES_FILE=${DATA_PATH}/${DIR}/snort.conf
         ALERT_FILE=${DATA_PATH}/${DIR}/alert
         PORTSCAN_FILE=${DATA_PATH}/${DIR}/portscan
         /usr/local/bin/perl /usr/local/snortsnarf/snortsnarf.pl -d ${HTML_PATH} -ldir ${URL_PATH} -color=rotate -rulesfile ${RULES_FILE} ${ALERT_FILE} ${PORTSCAN_FILE}
      fi
   done

else

   cd /usr/local/snortsnarf

   /usr/local/bin/perl /usr/local/snortsnarf/snortsnarf.pl -d /usr/local/apache/htdocs-secure/pentover/snort-snarf -ldir https://chivas.oneill.dhs.org/pentover/snort -color=rotate -rulesfile /usr/local/apache/htdocs-secure/pentover/snort/snort.conf -rulesdir /usr/local/apache/htdocs-secure/pentover/snort /usr/local/apache/htdocs-secure/pentover/snort/alert /usr/local/apache/htdocs-secure/pentover/snort/portscan

fi

The /usr/local/snortsnarf directory contains the snortsnarf package.  I know this is kinda *NOT HELPFUL* but it might be you started on the concept of setting up Snort/SnortSnarf.
0
 
NukfrorCommented:
Oh one more thing.  If you look at my script that creates the SnortSnarf logs, snortsnarf needs to see the rules that were used to generate the Snort output logs.  So on the OpenBSD server, I always copied the snort rules used into the directory that was rsync'd over to my Solaris server.  
0
 
ktchanhelpAuthor Commented:
Hi,

I try to install a ntop, but facing a below problem
# ntop
Tue Sep 14 17:42:36 2004  ntop will be started as user nobody
Tue Sep 14 17:42:36 2004  ntop v.3.0 SourceForge .tgz MT (SSL)
Tue Sep 14 17:42:36 2004  Configured on Jun 15 2004  3:24:59, built on Jun 15 2004 03:27:44.
Tue Sep 14 17:42:36 2004  Copyright 1998-2004 by Luca Deri <deri@ntop.org>
Tue Sep 14 17:42:36 2004  Get the freshest ntop from http://www.ntop.org/
Tue Sep 14 17:42:36 2004  Initializing ntop
Tue Sep 14 17:42:36 2004  Checking hme0 for additional devices
Tue Sep 14 17:42:36 2004  Resetting traffic statistics for device hme0
Tue Sep 14 17:42:36 2004  DLT: Device 0 [hme0] is 1, mtu 1514, header 14
Tue Sep 14 17:42:36 2004  Initializing gdbm databases
Tue Sep 14 17:42:36 2004  Now running as requested user 'nobody' (60001:60001)
Tue Sep 14 17:42:36 2004  **FATAL_ERROR** ....open of /usr/local/var/ntop/prefsCache.db failed: File write error
Tue Sep 14 17:42:36 2004  1. Is another instance of ntop running?
Tue Sep 14 17:42:36 2004  2. Make sure that the use you specified can write in the target directory

Thanks
K.T.Chan
0
 
ktchanhelpAuthor Commented:
Hi,

Above problem, I already solve, by the way when I start a ntop. my just stop in a prompt. any I can't use my browse to access nTop.

Pls advice ?

Thanks
K.T.Chan
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.