Sunday, September 14, 2008

More Parsing Event Logs. Another way to do this , referencing part  of Brandon Shell and  Shay Levi's discussion. This doesn't parse the unformatted message text into object as I did in the post before.  In any event, it would be useful to get away from using findstr.exe.

$now = [System.DateTime]::get_now()
$now.ToShortDateString()
$Now_ToString = $now.ToShortDateString()
get-eventlog -logname Security | where-object {($_.timegenerated -match "$Now_ToString") -and ($_.message -match "Windows Firewall")}  | fl * |  findstr "Port number"
# or
get-eventlog -logname Security | where-object {($_.timegenerated -match "$Now_ToString") -and ($_.message -match "Port number")}  | fl * | findstr "Port number"
Posted by Ryan M. Ferris at 10:48 AM 0 comments
Labels: ,

Wednesday, September 10, 2008

Creates a columnar listing of Ports to which the Windows Firewall has denied access. No doubt there is a simpler way....This uses Lee Holmes 'Convert-TextObject.ps1' from the "The Windows Powershell Cookbook". To get around parsing the message fields in the Event Log which aren't objects, I used findstr.exe with "MessageFilters.txt" as far below.

$now = [System.DateTime]::get_now()
$nowshort = ($now.ToShortDateString()).ToString()
$TodaysFA = ( ( get-eventlog -logname security | where {$_.EntryType -eq "FailureAudit" -and $_.TimeGenerated -match "$nowshort" } )| Select TimeGenerated,Message )
$TodaysFA_Delimited = ($TodaysFA | fl * | findstr /g:MessageFilters.txt) | .\Convert-TextObject.ps1 -Delimiter ":"
$TodaysFA_Ports = $TodaysFA_Delimited | where-object {$_.Property1 -match "Port"} | sort-object {$_.Property2}
$TodaysFA_PortNumber =  $TodaysFA_Ports | Select {$_.Property2} 

MessageFilters.txt

TimeGenerated :
Message:
Process identifier:
User account:
User domain:
Service:
RPC server:
IP version:
IP protocol:
Port number:
Allowed:
User notified:


Posted by Ryan M. Ferris at 5:47 PM 0 comments
Labels: ,

Tuesday, September 2, 2008

Parsing Event Logs for Windows Firewall Entries

Note:Sat Jun  9 11:39:23 Pacific Daylight Time 2012
A number of posts  on my Network Security blog update this post some -THX RMF

Parsing Event Logs. So what I am trying to do is fish out all the Windows Firewall Entries that tell me what internal ports communicate with the outside world. This is a useful way to use pfirewall.log (Windows Firewall to check for Trojans). I have eventviewer entries like below that give me more information than the pfirewall.log

Event Type: Failure Audit
Event Source: Security
Event Category: Detailed Tracking
Event ID: 861
Date: 9/3/2008
Time: 6:58:53 AM
User: NT AUTHORITY\NETWORK SERVICE
Computer: RMFMEDIA
Description:
The Windows Firewall has detected an application listening for incoming traffic.

Name: -
Path: C:\WINDOWS\system32\svchost.exe
Process identifier: 1432
User account: NETWORK SERVICE
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 61248
Allowed: No
User notified: No

D:\>tail pfirewall.log
2008-09-03 07:27:37 OPEN UDP 192.168.1.114 69.7.46.8 56319 53 - - - - - - - - -
2008-09-03 07:27:37 OPEN TCP 192.168.1.114 72.14.207.191 1551 80 - - - - - - - - -
2008-09-03 07:27:38 OPEN UDP 192.168.1.114 192.168.0.2 1025 514 - - - - - - - - -
2008-09-03 07:27:44 CLOSE TCP 192.168.1.114 72.14.223.191 1550 80 - - - - - - - - -
2008-09-03 07:27:44 DROP TCP 72.14.223.191 192.168.1.114 80 1550 288 AP 2880782099

This is the basic idea:

( ( get-eventlog -logname security | where {$_.EntryType -eq "FailureAudit"} )| Select ReplacementStrings,TimeGenerated,Message )

The spew below also works now. What I wanted to do is limit the event log entries to today's date, but I couldn't find any easy way to embed a 'get-date' command without parsing it.

$date = (get-date -format g).Split(" ")
$now = $date[0].ToString()
$TodaysFA = ( ( get-eventlog -logname security | where {$_.EntryType -eq "FailureAudit" -and $_.TimeGenerated -match "$now" } )| Select ReplacementStrings,TimeGenerated,Message )

$date = (get-date -format g).Split(" ")
$now = $date[0].ToString()
$Todays_861 = ( ( get-eventlog -logname security | where {$_.EventID -eq "861" -and $_.TimeGenerated -match "$now" } )| Select ReplacementStrings,TimeGenerated,Message )

Next up: to dump just the Message field and extract out the port number and other various info into a csv. What I really want is just this information in a csv:

Process identifier: 1432
User account: NETWORK SERVICE
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 61248
Allowed: No
Posted by Ryan M. Ferris at 8:14 PM 0 comments
Labels:
Subscribe to: Posts (Atom)