Jack Coates' Blog

6 Posts tagged with the nmap tag

I just posted ldms_core 3.4.7, which integrates some of the feedback and discoveries of the last few weeks... thanks for all the help, folks. Debugging help and feature suggestions from LANDesk admins around the world are making this utility into a very useful tool indeed.

tall-tree.jpg

Here's a few notes about where it might (or might not) go next:

  • Scheduled Tasks
  •   
       
    •  
      •  
    • Check scheduled tasks and policies for RRD stats -- jobs without start times, jobs in success-level buckets, duplicated jobs...   
          
      •  
    •  
      •  
    • Delete ghost devices from scheduled tasks (stuck in active because they reported status). If they were from a query they should be deleted from the list, but if they were from a static targeting they should be moved to pending. http://community.landesk.com/support/message/17222#17222   
          
      •  
    •  
  • Import   ldms_delete_users, auto-reassign to single user or delete objects, give the user an option to decide what should be done. Alternatively, rewrite ldms_delete_users as a standalone tool...
  • NMAP as an XDD client add-on instead of a core-side piece... this implies some command-channel use and data-passing which are non-trivial, but entirely possible. On the plus side, it will also produce a much higher level of accuracy in OS fingerprinting.
  • Email
  •   
       
    •  
      •  
    • Be smart about hysteresis... maybe it could not send another email within a day unless the new email it wants to send is more urgent than the last email that it had to send? Users going from daily runs to hourly runs are having challenges sorting the important emails from the repetitive info.
      •  
    •  
      •  
    • Maybe it's email worthy that unmanaged nodes isn't fresh...   
          
      •  
    •  
  • Web pages and reports
  •   
       
    •  
      •  
    • In RRD pages, give textual data supporting the graph. That'll probably push it over the edge to needing templated data instead of straight html.   
          
      •  
    •  
      •  
    • Support proxy servers (nice to have for update check, will need for geo-location)   
          
      •  
    •  
      •  
    • Give links to non-RFC1918 addresses on maps: GeoIP2Location   
          
      •  
    •  
      •  
    • Drill-down from topology map with per subnet listings of computers, including inventory and remote control links for them   
          
      •  
    •  
  • Auto-import email from domain controller into ConsoleUser table. If UserName is like Directory and Email is blank, then import from AD. Requires AD credential input in UI.
  • Count duplicate serial number records and show a count before the number... e.g. "34 machines with serial number SystemSerialNumb, 2 machines with LYAC12"
  • More options, more smarts, more feedback, more efficiency...
  • Find why McAfee silently stops it from working properly when it's run as a scheduled task (error 0x9 in Windows scheduled task, immediate "success" as a LANDesk scheduled task, works great when run interactively from the start menu).
2 Comments Permalink Tags: ldms_core, droppedpackets, health, monitoring, nmap, core

Today I enhanced debug mode and provided for a debug logfile. I also did a bunch of refactoring and bug fixes... maybe half of what Perl Critic suggested. This isn't an urgent release unless you're having trouble, might as well wait for 3.0.

 

http://www.droppedpackets.org/scripts/ldms_core/ldms_core_2-0.zip/view

 

I've got some reports of problems with NMAP... it crashes and takes ldms_core.exe with it. That's not supposed to happen, so if it's happening to you, please let me know and send a debug file.

 

UPDATE: Talk about relentless... Arnold Garcia tested with the new debug stuff and helped me find a problem, along with some more debugging suggestions. I did some more refactoring as well, so I've posted again and let's call it 2.9.8. This is worth upgrading to if you've had trouble with NMAP.

 

The TODO list:

  1. TODO -- Test email button in the GUI

  2. TODO -- Setup should install a LANDesk LOCALEXEC script to run it

  3. TODO -- Provide visual feedback of activity stage, level

  4. TODO -- Check scheduled tasks and policies

  5. TODO -- plot non-RFC1918 addresses on a map

  6. TODO -- keep old information and show a trend.

  7. TODO -- purty Charts, http://search.cpan.org/src/CHARTGRP/Chart-2.4.1/README

  8. TODO -- when you find duplicate IP addresses, wipe out the one that has the

  9. older update date.

  10. TODO -- If the database isn't busy, reindex it? Detecting a need to reindex

  11. the database seems to be just as intrusive as actually reindexing the

  12. database. More research required before this can be done safely.

 

0 Comments Permalink Tags: ldms_core, nmap

Version 2.9.6 has been posted.

 

A customer request to maintain off-core patch repositories has been implemented, along with detection of duplicate IP addresses and a report of detected vulnerability counts by severity.

 

Trending over time remains on the drawing board, but may not happen until after 3.0... not many numbers left, and I really don't want to end up with 2.9.256 type versions. It's also occurred to me that I might be able to avoid wheel reimplementation by just formatting data outputs for MRTG to read and providing a nice installer package for it...

 

A higher priority (to me, anyway) change is to implement XDD-agent-side NMAP, and a web service to ingest the discovered OS Names. NMAP's accuracy is poor in large networks when it's run from a central core. Doing this project offers all sort of potentially fun challenges and is currently at least as shiny as more reporting.

2 Comments Permalink Tags: ldms_core, nmap, monitoring

ldms_core performance

Posted by Jack Coates Jul 15, 2008

I've done a few installs of ldms_core on servers where XDD or scheduled UDD has been running for a good long while in a 5,000 to 10,000 node environment, and I've found a bit of a performance issue. Eventually it all works itself out, but that first run takes a day or two to complete. Gradually it gets faster and faster, and within a week it works the way it does for a fresh LANDesk core. This post is not to announce a fix, just acknowledging that I see the problem and know what needs to be done.

 

This is what's happening: If NMAP's binary is found in the configured place, then ldms_core goes to the database and looks for targets with no OS Name, sorted by lastscantime desc for a LIFO scan order. So far so good, except a few months ago I realized that some NMAP scans finish in a few seconds, while others take several minutes. In order to get the most success up front, I first send a single ping packet to each target and see if it responds. If it answers ping, it goes to the front of the list, and if it doesn't, it goes to the back of the list.

 

That works really well when the list of targets is a few dozen machines, but when it's a few hundred machines the performance is terrible. As NMAP updates the OS Names, the target list becomes smaller, the pings go faster, and less time is taken. I'm not parallelizing any of this traffic, so a long time spent on step 1 means step 2 can cool its heels in the corner. This all fits with my design goal of "low and slow", under-the-radar information gathering, but no one can tell that it's doing anything -- there's an icon in the system tray and a couple of entries in event viewer, but no CPU, no network, no nothing.

 

I've considering batching targets into small groups, which I could then do in parallel, but decided it was too complex and wasteful of resources. So, the planned fix is a two parter:

  1. First, I'm going to log and balloon tip what's happening so that the end user knows that it's okay to leave it alone... killing the program and starting it over just makes it take longer, and all the statistics that they installed it for happen at the end.

  2. Second, I'm going to radically decrease the ping timeout -- if the node doesn't ICMP REPLY in a second or two, I know what I came for. Better still, if the machine responds to ping I'll do NMAP right away, but if it doesn't respond to ping I'll push it to the end of the line.

If you really care a lot, the source is installed with the binary, and this is the DoNMAP subroutine beginning at line 1119.

1 Comments Permalink Tags: ldms_core, nmap

 

Fixed some stupid bugs, nothing spectacular. http://www.droppedpackets.org/scripts/ldms_core/ldms_core/view for download.

 

 

ldms_core does have an exciting roadmap, though... now that I've got statistics flowing into the event viewer and event viewer reading code written, the next step is  to use a graphics module to generate trend lines. That'll be the 3.0 release.

 

 

After that, I'm thinking to leverage all sorts of nifty modules from CPAN. Geolocation looks like fun, for instance -- how about a Google Earth file that shows the last reported locations of any node that doesn't have an RFC1918 IP Address?

 

 

The memory impact of  renaming errorscan files is still impressive on heavily used cores, and I haven't come up with anything elegant for avoiding that, so I'm also thinking of ways to reduce the frequency that it's done at. For instance, I might select to run NMAP or ErrorScan renaming based on time of day, but not both at the same time...Using a big chunk of memory to build a fast lookup table is not something I'm really concerned about...until NMAP scanning keeps my program in memory for a couple of hours. User input on this decision is very welcome, as always.

 

 

 

 

 

0 Comments Permalink Tags: ldms_core, droppedpackets, monitoring, nmap, errorscans, maintenance

NMAP and Process Manager

Posted by Jack Coates Mar 11, 2008

 

http://www.droppedpackets.org/process-manager/ldms_nmap_lpm/

 

 

No doubt about it, this is a cool trick. However, I've gotten a lot of calls and emails from people building solutions based on these ideas, and I feel the need to clarify a few things:

 

  • NMAP isn't perfect. Network health, distance from the target, age of nmap version, type of device being scanned, and the weather in Katmandu can cause its accuracy to vary wildly.

  • LANDesk isn't NMAP. If you're getting goofy results, your best (only?) recourse is to work with the NMAP team to improve the results: http://nmap.org/osdetect/osdetect-unidentified.html

  • Even at less than 50% accuracy, the tool can still be useful. This trick is typically employed in environments where a network security breach is extremely important, or where the tracked equipment is worth as much as a new car. If an XDD event is not worth getting out of your chair to investigate, then integrating NMAP into LANDesk may not be worth your time... but if it is, using this sort of technique can be a lifesaver at any accuracy level.

 

0 Comments 0 References Permalink Tags: nmap, lpm, droppedpackets, xdd, udd

Popular Blog Posts

Incoming Links

LANDesk Community powered by Jive Software's Clearspace ® Subscribe| Legal Notices| Investor Relations| Avocent| Privacy Policy © 2009 LANDesk Software