#!/bin/bash
# Simple cron-based network auditing scanner
# Requires Nmap 5+
# Related article @ http://blog.fili.nl/articles/audit-your-network-using-nmap-ndiff-and-cron/

MAILOUT=your@email.com
NETWORK=10.0.0.0/24

CWD=`dirname $0`
NMAP=/usr/bin/nmap
NDIFF=/usr/bin/ndiff
MAIL=/usr/bin/mail

if [ -f "$CWD/baseline.xml" ]; then
    echo "Scanning network $NETWORK..."
    $NMAP -n -oX "$CWD/current.xml" $NETWORK >/dev/null

    echo -n "Comparing Nmap scans using Ndiff..."
    $NDIFF $CWD/baseline.xml $CWD/current.xml >$CWD/last-result

    if [ $(stat -c%s "$CWD/last-result") -gt 70 ]; then
        echo "Changed!"; echo "$MAILOUT has been notified."
        cat $CWD/last-result | mail -s "Alert: Network $NETWORK changed" $MAILOUT
        mv $CWD/current.xml $CWD/baseline.xml
    else
        echo "Ok."
        rm -f $CWD/current.xml $CWD/last-result
    fi
else
    echo "First scan, generating baseline..."
    $NMAP -n -oX "$CWD/baseline.xml" $NETWORK >/dev/null
fi