Re: How to audit logons from external IP's?
From: Joe Richards [MVP] (humorexpress@hotmail.com)
Date: 11/10/02
- Next message: JR: "Re: Infected GC! Need to rebuild"
- Previous message: clintax: "unauthorize installation"
- In reply to: Per Hagstrom: "Re: How to audit logons from external IP's?"
- Next in thread: Too Hot: "Re: How to audit logons from external IP's?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Joe Richards [MVP]" <humorexpress@hotmail.com> Date: Sun, 10 Nov 2002 17:10:50 -0500
Interesting...
I guess along those lines you could set up a perl script that sets up a
change notification on the event log and just watches for the appropriate
logon events and when it sees one after being alerted of an event it could
do the netstat for you.
I think you might want to look at something like the IDS at www.snort.org
and see what it can do for you.
-- Joe Richards www.joeware.net --- "Per Hagstrom" <poh@milltec.com> wrote in message news:uJefHoPiCHA.1308@tkmsftngp11... > Well.. I've been trying to figure out my own solution instead... but I'm not > coming up with something that is fully functional... maybe somebody else > could work this out with me. > > My idea was to use the Performance Monitor to trigger the Alert, Logon > Errors, under Server. > And then that this Alert would start the batch file that runs this line: > NETSTAT -an | FIND "ESTABLISHED" >> C:\log.txt > The only problem is, the Alert gets trigged after 1... but then this trigger > keeps on sending alerts forever it seems like.. if i only knew how to reset > the Alert to 0 again.. ? > > This almost works...! Just not that practical yet.. > > Someone that could follow up on my thoughts here.. or maybe have a different > way/program to use a trigger? > > Thanks!! > > / Per Hagstrom > > > "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message > news:OY6knQNiCHA.716@tkmsftngp11... > > In order to get IP info you would need to get some sort of IDS or firewall > > system in place. I do agree that MS should be giving IP info with the > > machine names because names are easily spoofed but they do not currently > do > > so. On the positive side, it seems that the kerberos failures log IP's. > > > > -- > > Joe Richards > > www.joeware.net > > --- > > > > "Per Hagstrom" <poh@milltec.com> wrote in message > > news:elDGIvCiCHA.1864@tkmsftngp11... > > > Hey! > > > I've been trying to find a simple solution to audit who is trying to > logon > > > to our servers with "password scrips" or something similiar... > > > MS own silly auditing tool only logs the computer name, and not the > whole > > > IP, which is pretty much useless.. ! :( > > > > > > Anyone with a good idea on how to solve this? > > > If there are no easy/free solutions, what would the easiest/cheapest > > > solution be? > > > (like, is there a small little tool for just this purpose out there?) > > > > > > Thanks! > > > > > > / Per Hagstrom > > > > > > > > > > > >
- Next message: JR: "Re: Infected GC! Need to rebuild"
- Previous message: clintax: "unauthorize installation"
- In reply to: Per Hagstrom: "Re: How to audit logons from external IP's?"
- Next in thread: Too Hot: "Re: How to audit logons from external IP's?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
