Looking for a specific network connection

(imported topic written by amagewick91)

Hello everyone,

I would like to know if there is a relevance script that acts almost like the dos command NETSTAT, in where I can look for a connection to a server on each machine. Our windows messenger cleints connect to our old Exchange 2000 server, and I want to create a property that searches the computers for a connection to the server so that we know who is running and is actually connected to the server via the old client.

I hope this makes sense! Does anyone know of anything that can help me? I am going to look in the mean time and see if I can figure it out. If I do then I will post it.

(imported comment written by NoahSalzman)

The way you would do this is to have an Action that runs netstat and outputs the results to a temp file and then read the results in an Analysis.

(imported comment written by amagewick91)

Any pointers on how to setup the analysis to look at the file c:\emessnet.txt and to say X if it finds “NTEXCHANGE-CL4” and Y if it does not? :slight_smile:

I see that there is a “lines of file X”, so how do I write a “if lines of file X contain Y then Z” expression?

(imported comment written by NoahSalzman)

This is the super simple approach:

Q: (it contains “NTEXCHANGE-CL4”) of (contents of file “c:\emessnet.txt”)

A: True

However, if that machine name appears elsewhere in the output (for reasons unrelated to Windows Messenger) then you are going to get a false positive.

(imported comment written by amagewick91)

Awesome. I knew I was on the right tract but something little was stopping me.

cry

I had my test action working to dump the netstat into a text file “netstat -o -a >> c:\emessnet.txt”. I started to try to get it to delete the emessnet.txt file before creating the new one (so that it doesn’t just keep adding to the file" and now it is not working. All that is happening now is that the action is putting the bes client path with “netstat -o -a >> c:\emessnet.txt” at the end over and over in the file, making a 2MB file of nothing but that…

What would be the “proper” way to run “netstat -o -a >> c:\emessnet.txt” into an action?

I have tried making a BAT file with “createfile” and running that, have tried the bes action “dos”, have tried the action “waithidden” and so forth. They are all now giving me this false file.

(imported comment written by amagewick91)

This is what the action is putting in the file…

C:\Program Files (x86)\BigFix Enterprise\BES Console\QnA__BESData>netstat -o -a 1>>c:\netstat.txt

It is taking “netstat -o -a >> c:\netstat.txt” and putting a 1 in there? This was working JUST FINE initially and now I absolutely cannot figure out what is going on. This happens on 2 machines

(imported comment written by NoahSalzman)

appends

overwrites

http://forum.bigfix.com/viewtopic.php?pid=21001#p21001

(imported comment written by amagewick91)

Good info! That takes care of the file deletion.

ok… I have a BAT file on my computer with the following within it

netstat -o -a > c:\netstat.txt

When I run the batch file (double click) this is what shows in the CMD window.

netstat -o -a 1>c:\netstat.txt"

WTH is going on?! lol. Where is this 1 coming from?

(imported comment written by amagewick91)

Alright, last night I created a new BAT file and imported it with the software dist wizard. It works now. I am not touching anything, and I am good to go!

I wished to do it the “createfile” route right in the action so that I can easily edit it in the future, but I know how to edit it the other way as well so I guess either method works fine.

(imported comment written by comjb)

With version 9 you can also achieve this using inspector relevance. Be forewarned though it may bring back a large amount of data:

Show established or recently established connections:

(remote addresses whose (it as string != “127.0.0.1”) of it,remote ports of it,tcp states whose (it as string != “LISTENING”) of it,names of processes of it,users of processes of it) of sockets of network

Show listening ports:

(local addresses whose (it as string != “127.0.0.1”) of it,local ports of it,tcp states whose (it as string = “LISTENING”) of it,names of processes of it,users of processes of it) of sockets of network