network security tools/suite

**z3nhakr** · January 1st, 2012

I'm working on a security tool for Linux to scan for vulnerabilities in my network. instead of trying to fix problems, it will work as a warning system and send me an email if it detects apr attacks, dos attacks or duplicate mac addresses. id be glad to pack this into a deb and open source it after i finish but for now im stuck on detecting duplicate macs/mac spoofing. i was thinking of using nmap to scan for hosts and then make a script to compare the results but nmap always gives to many details which makes comparing things a pain in the backside to do. does anyone know how to get a cleaner output from nmap or another network scaner with a cleaner output.

**Dangertux** · January 3rd, 2012

Originally Posted by z3nhakr

I'm working on a security tool for Linux to scan for vulnerabilities in my network. instead of trying to fix problems, it will work as a warning system and send me an email if it detects apr attacks, dos attacks or duplicate mac addresses. id be glad to pack this into a deb and open source it after i finish but for now im stuck on detecting duplicate macs/mac spoofing. i was thinking of using nmap to scan for hosts and then make a script to compare the results but nmap always gives to many details which makes comparing things a pain in the backside to do. does anyone know how to get a cleaner output from nmap or another network scaner with a cleaner output.

nmap has a ton of options that you could explore. Particularly I would suggest ping scanning for this, or you can do a full scan output the file into grepable format and grep through it.

so an example command might be

Code:

nmap -sP -oG filename 192.168.0.0/24

then

Code:

cat filename | grep "[0-9]*:[0-9]*:[0-9*]:[0-9]*:[0-9]*:[0-9]*"

Or whatever options you wanted to throw on there -A would probably be handy for nmap's output.

Also they have these types of tools already, they're called IDS. I would check out Snort or Suricatta. Hope this helps

**mattxhand** · January 3rd, 2012

So is this going to be something like Nessus?

**Dangertux** · January 4th, 2012

Originally Posted by mattxhand

So is this going to be something like Nessus?

From the description OP gave it sounds more like OSSEC or Snort. Nessus pretty much just scans versioning information and looks for known vulnerabilities. This seems more like it would detect certain attacks as they're happening as opposed to the potential for an attack to occur.

**z3nhakr** · January 8th, 2012

Like dangertux said, im not trying to find holes but instead making a warning system that can notify me and possibly execute an emergency shutdown of vital network components. I tried grep-ing the nmap results and it told me i had new mail in /var/mail/root but nothing was there from today!? BTW -A(os detection) doesn't work without a port scan.

**Dangertux** · January 8th, 2012

Originally Posted by z3nhakr

Like dangertux said, im not trying to find holes but instead making a warning system that can notify me and possibly execute an emergency shutdown of vital network components. I tried grep-ing the nmap results and it told me i had new mail in /var/mail/root but nothing was there from today!? BTW -A(os detection) doesn't work without a port scan.

-O is OS Scan

-A is run all script in NSE (it also triggers a -sS scan automatically)

In any case they were two seperate thoughts. One for mac addresses the other for OS fingerprinting.

:-/