sntools

Some network tools for monitoring networks or providing machine information via shell, e-mail or http.

• arp-scan-util
• arp-history
• hostwatch
• exec-and-mail
• httpd-exec
• udpd-echo
• udpc-sysinfos
• expect-input
• snort-scan-util

Requirements

• arp-scan-util requires arp-scan (https://github.com/royhills/arp-scan),
  available on Debian/Ubuntu via apt install arp-scan

• Bash scripts are using swaks (https://github.com/jetmore/swaks) for sending e-mails,
  available on Debian/Ubuntu via apt install swaks

• hostwatch requires tcpdump (https://www.tcpdump.org/) should be available without installation on Debian/Ubuntu

• snort-scan-util requires the IDS snort (https://www.snort.org/) is used to monitor network traffic,
  available on Debian/Ubuntu via apt install snort

Download & Build

git clone https://github.com/c8121/sntools.git
cd sntools
./build.sh

Tools

arp-scan-util

Uses arp-scan to scan network. Stores IPs, MACs and Hostnames into a local LMDB database

arp-scan-util -i <interface> [-d <lmdb-directory>] [-v]

Parameter	Description
i	Interface name
d	Directory path for LMDB database
v	Enable verbose mode

arp-history

Show stored data generated by arp-scan-util

arp-history [-t] [-d <lmdb-directory>] [-q <ip or mac>]

Parameter	Description
q	Query (IP or MAC)
d	Directory path for LMDB database
t	Table format output

hostwatch

Uses tcpdump to monitor traffic. Counts bytes transferred between two hosts and shows a sorted table

hostwatch [-x] [-v] [-m <port>]  [-n <hosts-to-print>] [-s <ip>] [-p <port>] [-h] -i <interface>

Parameter	Description
i	Interface name
v	Enable verbose mode (repeat v for more output)
m	Port number: Strip ports above given number
x	Ignore direction of communication between two hosts
n	Number of hosts to be shown
h	Show number in human readable format
s	Run in server mode and bind to ip
p	Port to bind server to (default: 8002)
t	Timespan in seconds to be observed (default: 3600)

Example watching connections and provide data via HTTP:

./bin/hostwatch -s 0.0.0.0 -x -i enx6

exec-and-mail

Execute a command and send ouput via smtp after given number of lines or after timeout

exec-and-mail [-c <buffer-line-count>] [-t <wait-timeout-seconds>] [-v] [-s <subject>] <host> <port> <from> <to> "<command>"

Parameter	Description
c	How may lines from command to read before sending an e-mail
t	How long to wait (in seconds) before sending an e-mail it there is at least one line
v	Enable verbose mode (repeat v for more output)
s	E-mail subject

httpd-exec

Execute a command every time a client connects and send output to client (dangerous, use with care as any command can be used).

httpd-exec [-c <content-type] [-p <port>] "<command>"

Parameter	Description
c	Response content-type (default is "text/plain")
p	Port to bind to (default is 8001)
v	Enable verbose mode

Example: Provide arp-history via HTTP:

./bin/httpd-exec -c "text/html" "./bin/arp-history -t | ./bin/html"

udpd-echo

Listen for UDP-Packets and write contents to stdout, syslog or a file

udpd-echo [-p port] [-s] [-f file]

Parameter	Description
p	Port to bind to (default is 9666)
f	Filename to write to
s	Write to syslog

Example: Listen to port 9660 and write messages to /tmp/upd-messages.txt

./bin/udpd-echo -p 9660 -f /tmp/upd-messages.txt

udpc-sysinfos

Gather system information and send udp messages (WIP, not much info available at the moment).

udpc-sysinfos [-s sender name] [-h host] [-p port] [expression]

Parameter	Description
h	Host to send to
p	Port number to send to
s	Sender name

Available expressions to gather system information:

• filesystem:name:warn-usage-percentage
  Check available size (blocks & inodes) of named filesystem.
  Send a warning if usage is higher than given percentage.
  Example: filesystem:/home:80

expect-input

Reads from stdin and looks for texts to appear. For each text a interval in seconds is defined. If the text does not appear within the given amount of seconds, a warnig will be shown.

expect-input <text to expect> <seconds> [<text to expect> <seconds>...]

Example: Expect that "Hello World" appears at least every 10 seconds in /tmp/test.txt and "Test" must appear at least every 15 seconds

tail -f /tmp/test.txt | ./bin/expect-input "Hello World" 10 "Test" 15

snort-scan-util

Uses snort to monitor networks.

snort-scan-util [-s] [-v] -h <home network> -i <interface>

Parameter	Description
i	Interface name
h	Home network
m	Strip port from source host
v	Enable verbose mode
t	Timespan in seconds to be observed (default: 3600)

Bash scripts

arp-scan-and-mail-changes.sh

Scan network with arp-scan-util and send an e-mail only if changes where detected (based upan data from local LMDB database)

arp-history-mail.sh

Send all known MACs with IPs via e-mail. Uses arp-history to read data from local LMDB database.