How to tail netstat and pass results to IP intelligence function

Welcome Forums General PowerShell Q&A How to tail netstat and pass results to IP intelligence function

Viewing 6 reply threads
  • Author
    Posts
    • #272488
      Participant
      Topics: 2
      Replies: 6
      Points: 32
      Rank: Member

      Quick question.. let’s say I want to plug this script into a constant running netstat to scan IPs targeting a specific port. Anyone know how to basically tail netstat and constantly be passing new IP connections to a particular script?

    • #272491
      Participant
      Topics: 2
      Replies: 6
      Points: 32
      Rank: Member

      Hmm, so with no reply yet I am going to stab in the dark at my own question:

      Could be written out to a file (in a loop), as the file modification is completed some form of SQLite database is checked against ref https://social.technet.microsoft.com/wiki/contents/articles/30562.powershell-accessing-sqlite-databases.aspx

      While you are PowerShelling and adding the IPs to either a whitelist or blacklist in the SQLite – we are not going to waste API token calls.

      Essentially this is a great case for SQLite in my opinion, to handle IP lists and then we could properly call Windows’ in-built firewall functionality to block the connections.

      Hmm.. neat, now where to buy a lotta friggin’ coffee.. I don’t like the idea of all that I/O for writing the file though.

      Surely someone here knows a better way to throw that grep IP memory list against the SQLite perhaps? Meh, idk.. if anyone has ideas on better direction pls lmkkk < 3 ily

      Okay so after brainstorming more:

      1. Call the netstat and grep out all the IPs
      2. For each item, check against SQLite whitelist and blacklist for the IPs
      3. Kick off all the scans in some sorta queue / jobs list
      4. Keep the netstat generation going and queueing up the scan list
      5. Firewall off any blacklist IPs

      Hmm, seems legit – now to go from pseudocode to beardspeak

      • This reply was modified 2 weeks ago by Ciphers42.
      • This reply was modified 2 weeks ago by Ciphers42.
      • This reply was modified 2 weeks ago by Ciphers42.
    • #272599
      Participant
      Topics: 5
      Replies: 177
      Points: 686
      Helping Hand
      Rank: Major Contributor

      Why can’t you use Get-NetTcpConnection?  It would return objects instead of text that has to be parsed.

       

       

      • This reply was modified 2 weeks ago by Mike R..
    • #274248
      Participant
      Topics: 2
      Replies: 6
      Points: 32
      Rank: Member

      That would work, assuming you also grab the UDP ports – not just TCP

    • #274596
      Participant
      Topics: 5
      Replies: 177
      Points: 686
      Helping Hand
      Rank: Major Contributor

      If you need UDP as well, you’ll probably need to use netstat.  I through together a quick PowerShell wrapper for netstat -ano.  This should get you what you need.  Just call Get-Netstat and it will return objects with the needed properties.

       

    • #274686
      Participant
      Topics: 2
      Replies: 6
      Points: 32
      Rank: Member

      Whoa, this is exactly perfectly awesome – you are a rockstar Mike 🙂

      Thank you for parsing out the info from netstat.

      I am going to make use of this to feed the data into an SQLite database to get some neat statistics with bytes sent/received.

      Malicious scores, along with being able to sort through most noisy IPs (data, time connected, ports, etc)

      A lot of potential seems available with making use of simple in-built tools

    • #274740
      Participant
      Topics: 9
      Replies: 677
      Points: 2,680
      Helping Hand
      Rank: Community Hero

      Here’s Mike’s nice code just written a bit differently.

      Mike’s is much faster.

Viewing 6 reply threads
  • You must be logged in to reply to this topic.