Schedule Nmap baseline scanning for potential anomaly discover
Nmap-Baseline is a set of Python scripts that allow users to run scheduled Nmap scans of their network, save the scan results, optionally retrieve the reports from a remote host, and diff them against the previous scans report. This is meant as a simple method for SOC analysts, network administrators, or even home users to regularly monitor their network environment for potential anomalies such as new or unknown hosts, listening ports, etc.
The primary scanning script, nmap-baseline.py, can accept one or more IP addresses or CIDR's for scanning from the command line or a text file input list. The user would then set a cronjob to run this script preferably nightly to ensure continual coverage. Depending on the number of hosts being scanned, an XML report should be available by the morning if not sooner, which can then be retrieved from the scanning host using the get-reports.py script.
The primary scanning script, nmap-baseline.py, performs a reasonably timid discovery scan against a user-specified set of hosts. The scan exchanges speed for service accuracy. The Nmap flags-sT --version-light -T4 by default, but this can be changed to perform a SYN scan using a command line argument. Also, IPv6 scanning is optionally available to the user. Please note that the SYN scan option requires root permissions as per Nmap.
XML reports are saved in a user defined directory after every successful scan. If you are running the scans from one host but want to compare scan reports on a separate host, such as your local system, the helper script handle-reports.py leverages SFTP to retrieve the latest report (or all reports) saved in the user specified directory. This helper script also allows you the perform a diff of two XML reports and display any changes in existing hosts, newly discovered hosts, or hosts that have disappeared.