Search

Monday, August 19, 2013

Basically monitoring port scan with SCOM

Hello,

I was thinking if monitoring port scan attacks with SCOM is possible and I have found a link to build a customized script for a unit monitor in SCOM.

Using the link
http://operatingquadrant.com/2009/08/13/scom-locallly-monitoring-a-listening-tcp-port/

I Customized the script and created a new unit monitor targeted to "windows computer" class. "a" here represents the number of "SYN_SENT" lines returned from netstat command. If "a" is less than 5 in 2 minutes interval (given as a parameter for scheduling of the monitor) monitor will raise an alert.

http://netsecurity.about.com/cs/hackertools/a/aa121303.htm will be helpful to understand why I used "SYN_SENT" for netstat. Of course more detailed monitor can be build where this script should be accepted as a starting point.

Here is the full script for the unit monitor;
-------------------------------------
Option Explicit
Dim nPortToCheck, scmd, sPortQryPath

Dim oAPI, oBag, oArgs, objshell, objExec, oStdOut, a
Set oAPI = CreateObject("MOM.ScriptAPI")
Set oBag = oAPI.CreatePropertyBag()

Dim sLine, bl_Healthy, sMesg

sCmd = "netstat -ano"
set objShell = CreateObject("Wscript.shell")
set objExec = objShell.exec(sCmd)
set oStdOut = objExec.stdout

a=0

Do until oStdOut.AtEndofStream
sLine = ""
sLine = oStdOut.ReadLine
if instr(sLine, "SYN_SENT") > 0 and instr(sLine,":" & nPortToCheck) then
a=a+1
end if
loop

if a<5 then
sMesg = "no problem"
Call oBag.AddValue("Status","OK")

Else
sMesg = "Port scan alert"
Call oBag.AddValue("Status","Error")
End if

Call oBag.AddValue("Message",sMesg)
Call oAPI.Return(oBag)
set oBag = nothing
set oAPI = nothing
------------------------------------------

have a nice day! :)

1 comment:

  1. hi, i try to run script but script ended with "the handle is invalid" line 35 erro.

    ReplyDelete