Re: Port & Executable Monitoring & Logging



On 2011-06-23 Michael Painter wrote:
On Jun 21, 2011, at 12:54 PM, jstemp105@xxxxxxxxx wrote:
I have been working with the IPS systems within my corporate
workplace and we have noticed some strange activity where a virtual
Windows file server is attempting to connect to workstations, on the
same subnet, through local TCP port 88. The IPS systems that we
have in place on the workstations in our organization are detecting
these connections and is blocking them by considering them port
scans. The connections are incoming from the file server to the
workstations.

Placing a packet capture on the network and server did no good as
the workstations blocked them and the workstations that didn't block
the connections would only reply with a reset flag.

These connections happen at the most sporadic times ranging anywhere
throughout the day or night. We would like to put a program on the
server that will monitor for executables and what port they run on
or open up. This program must be able to log the instances and be
able to filter what ports are being monitored. Does anyone know of
any software programs that will run on Server 2008 and have the
above stated capabilities?

I'd give MSofts Port Reporter and its Parser a try:
Overview
The Port Reporter tool logs TCP and UDP port activity. The tool is a
small program that runs as a service on a computer that is running
Windows Server 2003, Windows XP, or Windows 2000.

On Windows Server 2003 and on Windows XP-based computers, the service
can log the following information:
a.. The ports that are used
b.. The processes that use the port
c.. Whether a process is a service
d.. The modules that a process loaded
e.. The user accounts that run a process

URL: http://support.microsoft.com/kb/837243

I second Port Reporter. However, if the OP wants something that doesn't
require installation and can be run interactively , Process Monitor [1]
might be another option.

One could also use Wireshark [2] or Network Monitor [3] to analyze the
packets. Or at least hook something like netcat [4] to port 88/tcp on some
clients and see what the server actually tries to send (of course the
clients will respond with TCP-RST if there's not listening socket on
that port).

[1] http://technet.microsoft.com/en-us/sysinternals/bb896645
[2] http://www.wireshark.org/
[3] http://support.microsoft.com/kb/933741
[4] http://joncraton.org/blog/netcat-for-windows

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------