Hi I need to check 500 servers to see if they can basically get an answer from port 8014 on a remote server 10.10.10.30.
If the host I am on is 10.10.10.20 and I want to see if it can connect to port 8014 on host 10.10.10.30 I would normally use telnet to find the answer:
Telnet 10.10.10.30 8014
I will get an answer if it can connect or a time out if I can not…
Is there a way to do this using native IEM scripting
You could run a task that would do this and output the result to a file, then use an analysis to read the results
If you have an application actively trying to connect (Symantec client is running, for instance) you can check its connection status with something like
exists sockets whose (remote port of it = 443 and established of tcp states of it and exists remote address whose (it as string = "192.168.1.1") of it) of network
checking only the existence of a remote port wouldn’t ensure the other end can connect, but this is definitely a smart first-step.
Quite right, see my edit above to verify the Established state and correct remote IP address.
Good stuff.
Of course, if that newly edited above relevance fails, that doesn’t mean a remote client can’t connect, it just means it is not currently connected.
i’d definitely suggest an analysis to really deep dive into many of these possibilities so you can figure out the subtitles of the specific failure or success indicators.
If you wanted to do it your original Telnet way…
Create a Task:
Relevance:
not exists file "/tmp/10101030-8014check"
ActionScript:
runhidden Telnet 10.10.10.30 8014 > "/tmp/10101030-8014check"
I don’t know what Telnet outputs but you’d just write an analysis that differentiates between success and failure
Analysis:
Property: Can Connect to 10.10.10.30
Relevance:
exists (lines of file "/tmp/10101030-8014check") whose (it contains "Connected to")
Instead of telnet, an option would be also to use nmap to test for the remote host/port availability (you can use the default fixlets to deploy a nmap scanpoint to distribute it on Windows and Linux systems), then you can use it in a task selecting the appropriate options depending on the protocol used by the listening host, and reducing the other discovery attempts. I’d specify the options -p8014 ( portlist) and -sT (for TCP) or -sU (for UDP sevice, depending on listening host’s behavior), and use the same analysis techniques suggested to return info about success/failure of connection, and possibly the latency of the connection. Also -Pn can help removing a ping attempt.
wait nmap -Pn -sT -p8014 -oN /tmp/10101030_8014.nmap 10.10.10.30 > /dev/null
should produce a file like:
Nmap scan report for 10.10.10.30
Host is up (0.11s latency).
PORT STATE SERVICE
8014/tcp closed unknown
and your analysis relevance will sound like:
exist lines whose (it contains open and it contains 8014) of file “/tmp/10101030_1084.nmap”
This technique will also allow you to identify with a single task other ports/hosts if you need to, and will not depend on telnet tcp timeout
.
Just to complement a little more this post for further usage, recently I had the same request to verify port connection status to a destination server.
Initially I tried the nmap coming from the BES Asset Discovery as suggested by Kapax. For Linux it worked ok but for Windows it was failing to install the winpcap.
As I didn’t want to waste time figuring out what was wrong with the wincap installation I used the portquery Microsoft binary uploaded to my root servers.
Below is the task if needed:
if {version of client >= “9.0”}
parameter “GTS_HOME” = “{pathname of parent folder of data folder of client}/BESScanner-NMAP”
else
parameter “GTS_HOME” = “{pathname of parent folder of file (value of variable “BESClientConfigPath” of environment)}/BESScanner-NMAP”
endif
if {(name of operating system as lowercase contains “red hat”) or (name of operating system as lowercase contains “centos”)}
// previously need to run the task Designate Nmap Scan Point RH/CentOS
delete /tmp/10101030_8014.nmap
delete __createfile
delete /tmp/check_itm.sh
createfile until ENDOFFILE!/bin/sh
cd {(parameter “GTS_HOME”)}
./nmap -Pn -sT -p8014 -oN /tmp/10101030_8014.nmap 10.10.10.30 > /dev/null
ENDOFFILE
move __createfile /tmp/check_itm.sh
wait chmod 755 /tmp/check_itm.sh
wait /tmp/check_itm.sh
elseif {(name of operating system as lowercase contains “win”)}
prefetch PortQry.exe sha1:6bc8bc559c80218055dcd58cc9376ea7d10babde size:143360 http://localhost:52311/Uploads/6bc8bc559c80218055dcd58cc9376ea7d10babde/PortQry.exe
parameter “standaloneSource” = “PortQry.exe”
parameter “PortQry” = "{(client folder of current site as string) & “__Download”}"
delete “{pathname of windows folder}\Temp\10101030_8014.nmap”
delete __createfile
delete “{pathname of windows folder}\Temp\check_itm.bat”
createfile until ENDOFFILE
cd “{(parameter “PortQry”)}”
{(parameter “standaloneSource”)} -n 10.10.10.30 -nr -e 8014 -l “{pathname of windows folder}\Temp\10101030_8014.nmap” > NUL
ENDOFFILE
move __createfile “{pathname of windows folder}\Temp\check_itm.bat”
waithidden “{pathname of windows folder}\Temp\check_itm.bat”
endif
The analysis will be pretty much the same:
Linux:
(if (name of operating system starts with “Linux Red Hat”) then ( exist lines whose (it contains “open” and it contains “8014”) of file “/tmp/10101030_8014.nmap” ) else ( error " " ) )
Windows:
(if (name of operating system starts with “Win”) then ( exists lines of file ((pathname of windows folder) & “\Temp\10101030_8014.nmap”) whose (it contains “TCP port 8014” AND it contains “LISTENING”) ) else ( " " ) )
@JasonWalker Hi Hope you are good, yours support really help me in renameing ATMFD.dll
Need yours support, here requirement is to telnet one ip form multiple windows computers for port 1433 & gathers the result.
What is the simplest way to do from Bigfix.
Waiting yours reply
Many thanks in advance.