Monday, August 19, 2013

Basically monitoring port scan with SCOM


I was thinking if monitoring port scan attacks with SCOM is possible and I have found a link to build a customized script for a unit monitor in SCOM.

Using the link

I Customized the script and created a new unit monitor targeted to "windows computer" class. "a" here represents the number of "SYN_SENT" lines returned from netstat command. If "a" is less than 5 in 2 minutes interval (given as a parameter for scheduling of the monitor) monitor will raise an alert. will be helpful to understand why I used "SYN_SENT" for netstat. Of course more detailed monitor can be build where this script should be accepted as a starting point.

Here is the full script for the unit monitor;
Option Explicit
Dim nPortToCheck, scmd, sPortQryPath

Dim oAPI, oBag, oArgs, objshell, objExec, oStdOut, a
Set oAPI = CreateObject("MOM.ScriptAPI")
Set oBag = oAPI.CreatePropertyBag()

Dim sLine, bl_Healthy, sMesg

sCmd = "netstat -ano"
set objShell = CreateObject("")
set objExec = objShell.exec(sCmd)
set oStdOut = objExec.stdout


Do until oStdOut.AtEndofStream
sLine = ""
sLine = oStdOut.ReadLine
if instr(sLine, "SYN_SENT") > 0 and instr(sLine,":" & nPortToCheck) then
end if

if a<5 then
sMesg = "no problem"
Call oBag.AddValue("Status","OK")

sMesg = "Port scan alert"
Call oBag.AddValue("Status","Error")
End if

Call oBag.AddValue("Message",sMesg)
Call oAPI.Return(oBag)
set oBag = nothing
set oAPI = nothing

have a nice day! :)

1 comment:

  1. hi, i try to run script but script ended with "the handle is invalid" line 35 erro.