I used the following script to trigger a port_scan signature on a RealSecure (IDS) Network Sensor to test it was working.
#!/bin/ksh outfile=~/live_ips.txt scanfile=~/scan.out iprange=192.168 maxip=254 # Clear previous output > $outfile > $scanfile ip_scan() { # This routine collect valid IP's for subnet in 40 do countip=1 while [[ $countip -lt $maxip ]] do echo "Trying ${iprange}.${subnet}.${countip}..." ping -c 1 ${iprange}.${subnet}.${countip} > /dev/null 2&>1 rc=$? if [[ $rc = 0 ]];then echo "${iprange}.${subnet}.${addr} is alive" |tee -a $outfile fi (( countip = countip + 1 )) done done } port_scan() { # This routine collect valid ports cat $outfile | awk '{print $1}' | while read ip do port=1 while [[ $port -lt 2000 ]] do echo "Trying port $port on $ip" ssh -np $port $ip "date" 2>/dev/null & sleep 3 kill %1 2>/dev/null rc=$? if [[ $rc = 0 ]];then echo "Port open at $port on $ip" >> $scanfile fi (( port = port + 1 )) done done } # Script starts here ip_scan port_scan |
Of course, you could use the nmap utility to do port_scans much quicker.