Alerts for changes to ports

How To
1

Hi,

Has anyone got a way to set up alerts to respond to changes detected between one scan and another on the same target?

I’m specifically looking to try to automate an alert if there are changes to the ports detected between the most recent and the 2nd oldest scan.

Thanks!

2

Here are my initial thoughts about this, but I hope that someone can review my perspective and correct me if I’m wrong. Maybe Greenbone isn’t the easiest tool to accomplish this goal.
For example, you could use Python to instantiate nmap such as the command below, and compare the output to a stored previous version.

nmap -oX port_scan.xml <target>

However, using the Greenbone web interface, you have a couple of different options depending on your requirements for accuracy and granularity.

You could:

  1. Create a task that uses a System Discovery scan config. It will have a Ports tab, but I don’t immediately know how to filter based on that directly. If someone knows that is possible, maybe they can say how to do that.
  2. You can create a results filter like vulnerability=Services and apply it to the results from the task. This will essentially filter service identification results. But, I don’t know if a result will show for an open port with an unidentifiable service. Again, that’s a question for someone with more expertise than me.
  3. Set an Alert such that the alert checks every time the task is done, if the filter vulnerability=Services has “X more results than the previous scan”.
  4. Configure a custom report filter that sends you the service listings.

Screenshot 2023-07-24 at 12.22.48 PM
Screenshot 2023-07-24 at 12.22.48 PM804×526 36 KB

Although there is a reliable 1-1 match between ports and vulnerability=Services report items (at least for identifiable services), there are some problems with this method:

  1. I don’t know what happens if one service is gone and another has been enabled. This would have the same results count so, the alert condition (“X more results than the previous scan”) may miss it. I think this is easy to test to determine.
  2. Also, the scan could detect multiple hostnames if, for example, you have multiple Apache vhosts configured on the same server, resulting in duplicate of services across each vhost. You could fix that by adding hostname="<your-hostname>" to the results filter

So, if your use case requires more accurate detection, you would likely want a strategy such as using python-gvm to interact directly with GMP.

  1. Get the results using a filter to get the results from the last two scans of a task,
  2. Compare the XML between those results.

This method is more complex than just using nmap, hence my first answer.

Maybe someone with more experience than me will have an easier approach.

1 Like