Hello,
I was thinking if monitoring port scan attacks with SCOM is possible and I have found a link to build a customized script for a unit monitor in SCOM.
Using the link
http://operatingquadrant.com/2009/08/13/scom-locallly-monitoring-a-listening-tcp-port/
I Customized the script and created a new unit monitor targeted to "windows computer" class. "a" here represents the number of "SYN_SENT" lines returned from netstat command. If "a" is less than 5 in 2 minutes interval (given as a parameter for scheduling of the monitor) monitor will raise an alert.
http://netsecurity.about.com/cs/hackertools/a/aa121303.htm will be helpful to understand why I used "SYN_SENT" for netstat. Of course more detailed monitor can be build where this script should be accepted as a starting point.
Here is the full script for the unit monitor;
-------------------------------------
Option Explicit
Dim nPortToCheck, scmd, sPortQryPath
Dim oAPI, oBag, oArgs, objshell, objExec, oStdOut, a
Set oAPI = CreateObject("MOM.ScriptAPI")
Set oBag = oAPI.CreatePropertyBag()
Dim sLine, bl_Healthy, sMesg
sCmd = "netstat -ano"
set objShell = CreateObject("Wscript.shell")
set objExec = objShell.exec(sCmd)
set oStdOut = objExec.stdout
a=0
Do until oStdOut.AtEndofStream
sLine = ""
sLine = oStdOut.ReadLine
if instr(sLine, "SYN_SENT") > 0 and instr(sLine,":" & nPortToCheck) then
a=a+1
end if
loop
if a<5 then
sMesg = "no problem" 
Call oBag.AddValue("Status","OK")
Else
sMesg = "Port scan alert" 
Call oBag.AddValue("Status","Error")
End if
Call oBag.AddValue("Message",sMesg)
Call oAPI.Return(oBag)
set oBag = nothing
set oAPI = nothing
------------------------------------------
have a nice day! :)
 
hi, i try to run script but script ended with "the handle is invalid" line 35 erro.
ReplyDelete