RE: Windows Event Logs
From: Gavin Lowe (gavin_at_vanderwell.com)
Date: 06/20/03
- Previous message: Scheinberg, Adam: "RE: Filtering DHCP Assignments by MAC Address"
- In reply to: Floyd Russell: "Windows Event Logs"
- Next in thread: David Vincent: "RE: Windows Event Logs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 20 Jun 2003 11:38:41 -0600 To: Focus-MS <focus-ms@securityfocus.com>
I use Snort (http://www.snort.org/) to catch the IP/data packets from
inbound connections to Ports 137 UDP, 138 UDP, 139 TCP and 445 UDP/TCP
(Ref: http://support.microsoft.com/default.aspx?scid=kb;EN-US;150543)
These entries are from rules that I create (See attachment for more):
06/19-19:19:02.734919 [**] [1:2767:0] Someone's Knocking On My Door!
[**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
66.82.163.207:4416 -> xxx.xxx.xxx.xxx:445
06/19-21:31:22.907012 [**] [1:2766:0] Someone's Peeking In The Window!
(Browsing) [**] [Classification: Attempted User Privilege Gain]
[Priority: 1] {UDP} 218.44.130.144:60998 -> xxx.xxx.xxx.xxx:137
06/20-08:20:49.085366 [**] [1:2764:0] Someone's Trying a Key in the
Door! (MapDrive) [**] [Classification: Attempted User Privilege Gain]
[Priority: 1] {TCP} 66.82.122.79:2307 -> xxx.xxx.xxx.xxx:139
Monitoring these ports catches connection attempts that don't even
trigger a Security Event Log entry such as a successful anonymous
connection to an IPC$ share - which is normally a precursor to a mapped
share attempt.
Connecting to the IPC$ share allows a remote user to view your available
shared resources, computer name, logged on user name, domain name which
requires them to only guess your password in order to successfully map
to a share. You should definitely disable Anonymous Logon on all your
Win2K boxes connected to the Internet/DMZ.
Currently, I'm getting Snort alerts from 50+ unique IP / Day from all
over the world - mainly US, China, and some European Countries. I
haven't had a failed event log entry since the day of 7,000 attempts.
In my experience, relying on the Security Event Log is like relying on
the check engine light in a car. When the light comes on, it's probably
already too late.
Gavin Lowe
Programmer / Network Admin
-----Original Message-----
From: Floyd Russell [mailto:floyd@neospire.net]
Sent: Thursday, June 19, 2003 12:28 PM
To: focus-ms@securityfocus.com
Subject: Windows Event Logs
In my years of admining windows servers the event logs have always been
frustratingly incomplete. This is especially true with the Security
logs.
For example if an attempted logon fails, it records the event, but
seeminly
nothing else of importance like an IP.
Are there any tools out there that either allow admins a finer control
over
what activities happen on the host or any that can pull such information
from the event logs?
Thanks,
Floyd R.
------------------------------------------------------------------------
-----
------------------------------------------------------------------------
------
-----------------------------------------------------------------------------
------------------------------------------------------------------------------
- application/octet-stream attachment: alert.ids
- Previous message: Scheinberg, Adam: "RE: Filtering DHCP Assignments by MAC Address"
- In reply to: Floyd Russell: "Windows Event Logs"
- Next in thread: David Vincent: "RE: Windows Event Logs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
