000029828 - Port scanning tool for RSA NetWitness Logs & Network

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Sep 6, 2019
Version 7Show Document
  • View in full screen mode

Article Content

Article Number000029828
Applies ToRSA Product Set: NetWitness Logs & Network

RSA Product/Service Type: NetWitness Core
RSA Version/Condition: 10.6.x, 11.x

Platform: CentOS
IssueNetWitness Logs & Network requires a number of ports to communicate between NetWitness appliances and other hosts.  A port diagram and list of the required ports is posted at the following links.  You may use this article, and the attached Python script to check the status of these ports.

NetWitness 11.x


Deployment Guide: Network Architecture and Ports


NetWitness 10.6.x


Network Architecture and Ports


This script also checks for the two additional ports (8140 and 61614) noted in article 000029807 - RSA Security Analytics 10.4 is experiencing connectivity issues due to blocked ports.


Download the attached script, copy it to each of your NetWitness appliances and run the script to check the 96 ports used by NetWitness.
ResolutionFollow these steps to test ports between RSA NetWitness appliances.
  1. Download nwportscan-20190819-1.py attached to this article. 
  2. Copy the nwportscan-20190819-1.py to each NetWitness appliance to be tested using scp, WinSCP or a similar file transfer tool.
  3. Navigate to the folder where you have copied the script, for example:


cd /root


  1. Change the script to executable with the following command:


chmod +x nwportscan-20190819-1.py


  1. Execute the script:  


./nwportscan-20190819-1.py


  1. When prompted, enter the host name or IP address of the target host to be scanned.
  2. Wait for the script to complete.  This will take between two seconds and nine minutes in most cases.
  3. Review the output file for details:  


less ./portstatus.txt


  1. The output file will provide the date the report was run, the source and target host names, a timestamp for each port tested, and the port number and status.  Status is either OPEN or CLOSED. 

If the time between port tests is longer than a few milliseconds, it might imply network latency.  In our test lab, hosts on the same switch reply within a few milliseconds while hosts on different switches take as log as one second to respond.  

Study the closed ports that are used by your specific appliance using the Network Architecture and Ports linked above as a guide.  Make sure all ports used by any given appliance are OPEN.  
 

Sample Output ofportstatus.txt




# cat ./portstatus.txt
Run Date: Thu Aug 22 04:51:45 2019
Source Host:  LOGHYB
Target Host:  192.168.1.57

Time
%H:%M:%S.%f Port #: Status
==========================
04:51:45.7011 Port 21: OPEN
04:51:45.7021 Port 22: OPEN
04:51:45.7028 **Port 25: *CLOSED*
04:51:45.7045 **Port 53: *CLOSED*
04:51:45.7051 **Port 80: *CLOSED*
04:51:45.7057 **Port 89: *CLOSED*
04:51:45.7064 Port 111: OPEN
04:51:45.7070 **Port 389: *CLOSED*
04:51:45.7077 **Port 443: *CLOSED*
04:51:45.7081 Port 514: OPEN
04:51:45.7086 **Port 636: *CLOSED*
04:51:45.7089 **Port 2049: *CLOSED*
04:51:45.7096 **Port 2888: *CLOSED*
04:51:45.7101 **Port 3888: *CLOSED*
04:51:45.7106 Port 4369: OPEN
04:51:45.7110 **Port 4505: *CLOSED*
04:51:45.7114 **Port 4506: *CLOSED*
04:51:45.7118 **Port 5181: *CLOSED*
04:51:45.7121 **Port 5432: *CLOSED*
04:51:45.7126 **Port 5660: *CLOSED*
04:51:45.7129 Port 5671: OPEN
04:51:45.7139 **Port 5900: *CLOSED*
04:51:45.7151 Port 6514: OPEN
04:51:45.7158 **Port 7005: *CLOSED*
04:51:45.7162 **Port 7007: *CLOSED*
04:51:45.7165 **Port 7050: *CLOSED*
04:51:45.7168 **Port 7054: *CLOSED*
04:51:45.7172 **Port 7220: *CLOSED*
04:51:45.7175 **Port 7221: *CLOSED*
04:51:45.7178 **Port 7222: *CLOSED*
04:51:45.7182 **Port 8080: *CLOSED*
04:51:45.7187 **Port 8140: *CLOSED*
04:51:45.7193 **Port 8443: *CLOSED*
04:51:45.7197 **Port 9001: *CLOSED*
04:51:45.7201 **Port 9443: *CLOSED*
04:51:45.7207 **Port 9997: *CLOSED*
04:51:45.7209 **Port 9998: *CLOSED*
04:51:45.7212 Port 15671: OPEN
04:51:45.7216 Port 25672: OPEN
04:51:45.7221 **Port 27017: *CLOSED*
04:51:45.7226 Port 50001: OPEN
04:51:45.7230 Port 50002: OPEN
04:51:45.7235 **Port 50003: *CLOSED*
04:51:45.7238 **Port 50004: *CLOSED*
04:51:45.7241 Port 50005: OPEN
04:51:45.7245 Port 50006: OPEN
04:51:45.7251 **Port 50007: *CLOSED*
04:51:45.7254 **Port 50008: *CLOSED*
04:51:45.7258 **Port 50009: *CLOSED*
04:51:45.7261 **Port 50010: *CLOSED*
04:51:45.7266 **Port 50020: *CLOSED*
04:51:45.7269 **Port 50022: *CLOSED*
04:51:45.7272 **Port 50025: *CLOSED*
04:51:45.7274 **Port 50030: *CLOSED*
04:51:45.7277 **Port 50035: *CLOSED*
04:51:45.7280 **Port 50036: *CLOSED*
04:51:45.7283 **Port 50040: *CLOSED*
04:51:45.7286 **Port 50060: *CLOSED*
04:51:45.7288 **Port 50070: *CLOSED*
04:51:45.7291 Port 50101: OPEN
04:51:45.7295 Port 50102: OPEN
04:51:45.7299 **Port 50103: *CLOSED*
04:51:45.7302 **Port 50104: *CLOSED*
04:51:45.7304 Port 50105: OPEN
04:51:45.7308 Port 50106: OPEN
04:51:45.7312 **Port 50107: *CLOSED*
04:51:45.7314 **Port 50108: *CLOSED*
04:51:45.7318 **Port 50120: *CLOSED*
04:51:45.7321 **Port 50125: *CLOSED*
04:51:45.7324 Port 50202: OPEN
04:51:45.7328 **Port 51113: *CLOSED*
04:51:45.7331 Port 56001: OPEN
04:51:45.7334 Port 56002: OPEN
04:51:45.7338 **Port 56003: *CLOSED*
04:51:45.7340 **Port 56004: *CLOSED*
04:51:45.7343 Port 56005: OPEN
04:51:45.7346 Port 56006: OPEN
04:51:45.7349 **Port 56007: *CLOSED*
04:51:45.7352 **Port 56008: *CLOSED*
04:51:45.7354 **Port 56020: *CLOSED*
04:51:45.7357 **Port 56025: *CLOSED*
04:51:45.7360 Port 56202: OPEN
04:51:45.7363 **Port 60000: *CLOSED*
04:51:45.7367 **Port 60006: *CLOSED*
04:51:45.7370 **Port 60007: *CLOSED*
04:51:45.7372 **Port 61614: *CLOSED*
04:51:45.7375 **Port 64000: *CLOSED*
04:51:45.7378 **Port 64001: *CLOSED*
04:51:45.7381 **Port 64002: *CLOSED*
04:51:45.7383 **Port 64003: *CLOSED*
04:51:45.7386 **Port 64004: *CLOSED*
04:51:45.7389 **Port 64005: *CLOSED*
04:51:45.7392 **Port 64006: *CLOSED*
04:51:45.7395 **Port 64007: *CLOSED*
04:51:45.7397 **Port 64008: *CLOSED*
04:51:45.7399 **Port 64009: *CLOSED*
NotesNote that not every port will be used in every environment.  For example, if you do not deploy ESA appliances, ports 50030 and 27017 will not be used.

The previous version of the script, saportscan-20150316-2.py is still attached for historical reference.

Outcomes