Wednesday, February 18, 2009

Three of the four last posts have resulted in a considerable speed up of my Powershell learning curve. In my February 6th post , I created a (not so) simple script to log all new Established TCP Connections.  'Compare-Object' was very useful in finding the diff between one netblock and the last. In my February 12th post, I worked through how to send those Established TCP Connections to the (classic) Event Viewer.  I then spent quite a bit of time trying to build a script that iterated all TCPStates past the current TCP Connection diff in an attempt to send all TCP State Connections to the Event Log.  I spent a lot of time failing to create such an iteration. (Update February 25): Eventually, I did create a function(s) which will log select TCP Connection States. It is posted here: http://www.rmfdevelopment.com/PowerShell_Scripts/List-TCPConnections_Advanced.ps1
 There are a ton of issues for me to work out with Powershell involving .NET overloads, Functions Types, Iteration, Parameters....But the foreach-object can be used in a block to process an  array line by line. Very simple and straightforward:
       $global:c = compare-object -referenceobject $State_netblock -differenceobject $State_last_netblock
                    
       if ($c -eq $null){}
       elseif($c.SideIndicator -eq "<=" )
          {$C |
                foreach-object -process{                                    
                $LocalAddress = $_.InputObject.LocalEndPoint.Address
                $RemoteAddress = $_.InputObject.RemoteEndPoint.Address           
                $LocalPort = $_.InputObject.LocalEndPoint.Port
                $RemotePort = $_.InputObject.RemoteEndPoint.Port
                $TCP_State = $TCPState[$State]
                $name = [System.Net.DNS]::Resolve("$RemoteAddress")
                $name_canon = $name.hostname
                write "$TimeNow $RemoteAddress $name_canon : $RemotePort $TCP_State"
                $EventLog.Source = "$name_canon" 
                $EventLog.WriteEntry("$LocalAddress $TCP_State connection to $RemoteAddress($name_canon) from Local Port: $LocalPort to Remote Port: $RemotePort",$infoevent,$RemotePort,$State) 

                } 
           }


Update on event log queries for the event log generated by the above script:

Source
$Source_8NetUnique = get-eventlog -log EstablishedTCPConnections  | ?{$_.Source -match "^8\."} | sort-object -property Source -unique
$SourceNetUnique = get-eventlog -log EstablishedTCPConnections  | ?{$_.Source -match "^*"} | sort-object -property Source -unique
$SourceNetUniqueGroupBy = get-eventlog -log EstablishedTCPConnections  | ?{$_.Source -match "^*"} | group-object -property Source | Sort-object -property count -descending
Function Get-NetName ($CountNetName) { get-eventlog -log EstablishedTCPConnections  | ?{$_.Source -match "^$CountNetName"} |  group-object -property Source | Sort-object -property count -descending}
foreach($i in (gc alpha.txt)){get-netname $i}
Port
$Port80 = get-eventlog -log EstablishedTCPConnections  | ?{$_.EventID -match "^80"}|  sort-object -property TimeGenerated -descending
$EventIDNetUnique = get-eventlog -log EstablishedTCPConnections  | ?{$_.EventID -match "^*"} | sort-object -property EventID -unique
$EventIDNetUniqueGroupBy = get-eventlog -log EstablishedTCPConnections  | ?{$_.EventID -match "^*"} | group-object -property EventID | Sort-object -property count -descending
Function Get-PortType ($CountPortType) { get-eventlog -log EstablishedTCPConnections  | ?{$_.EventID -match "^$CountPortType"} |  group-object -property EventID | Sort-object -property count -descending}

$Source = get-eventlog -log EstablishedTCPConnections | group-object -property Source | sort-object -property Count -descending
$Port = get-eventlog -log EstablishedTCPConnections | group-object -property EventID  | sort-object -property Count -descending

$UniqSource = get-eventlog -log EstablishedTCPConnections |  sort-object -property Source -descending -unique 
$UniqPort = get-eventlog -log EstablishedTCPConnections |  sort-object -property EventID -descending -unique 

$UniqSource = get-eventlog -log EstablishedTCPConnections | group-object -property Source | sort-object -property Count -descending
$UniqSource | Select Count,Name | cvhtml > UniqSource.html

$a | %{[System.Net.DNS]::Resolve($_.Source)}
$a | %{whois ($_.Source)}           
Posted by Ryan M. Ferris at 9:34 AM

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)