Re: How to audit logons from external IP's?

From: Per Hagstrom (poh@Kendall-Davis.com)
Date: 11/11/02

Next message: Yitzchak Handel: "Win9x clients forced to reboot"
Previous message: Stephen Biggs: "Re: DCOM, port 135"
In reply to: Too Hot: "Re: How to audit logons from external IP's?"
Next in thread: Joe Richards [MVP]: "Re: How to audit logons from external IP's?"
Reply: Joe Richards [MVP]: "Re: How to audit logons from external IP's?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Per Hagstrom" <poh@Kendall-Davis.com>
Date: Mon, 11 Nov 2002 13:43:42 -0600

Maybe a good idea.. thanks!
Um.. I've never used that tool.. just started it up.. and yikes! That's a
complicated piece of software.. I don't understand much of it so far..
Could I get a little help getting it started?
To just run a raw capture, captures a LOT of data I can tell.. so.. how
would I use it to capture logon errors and maybe use the trigger in there to
start the capture.. ?

I did a raw test capture of me trying to login through Terminal Server with
wrong password.. but.. not much readable things i could get out of that
data.. only thing I could see was that there was at least a 3389 port
connection.. heh.. !

Thanks a lot!

/ Per Hagstrom

"Too Hot" <mungedtodeath@anon.con> wrote in message
news:_VPz9.213$RS7.3308585@news-text.cableinet.net...
> Per Hagstrom wrote:
> : Well.. I've been trying to figure out my own solution instead... but
> : I'm not coming up with something that is fully functional... maybe
> : somebody else could work this out with me.
> :
> : My idea was to use the Performance Monitor to trigger the Alert, Logon
> : Errors, under Server.
> : And then that this Alert would start the batch file that runs this
> : line: NETSTAT -an | FIND "ESTABLISHED" >> C:\log.txt
>
> How about firing up network monitor to capture the complete packets? You
> get it all, ports n all :)
>
>

Next message: Yitzchak Handel: "Win9x clients forced to reboot"
Previous message: Stephen Biggs: "Re: DCOM, port 135"
In reply to: Too Hot: "Re: How to audit logons from external IP's?"
Next in thread: Joe Richards [MVP]: "Re: How to audit logons from external IP's?"
Reply: Joe Richards [MVP]: "Re: How to audit logons from external IP's?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Capturing NEMA Data from a GPS
... log so that when I'm sailing the GPS will create a log for me every 15 ... Click the pick arrow under "Connect using" and pick your COM port. ... To start reading the NMEA data, just click the little telephone to ... If you click TRANSFER then CAPTURE TEXT you can store ...
(rec.boats.electronics)
Capturing Error!
... not what to do video capture. ... up to the computer via firewire using my 6 pin firewire ... port from my Sound Blaster Audigy PCI card. ... my camera worked fine and capture video didnt have any ...
(microsoft.public.windowsxp.moviemaker)
Re: NIC always stays on...how to track traffic in Windows 2003
... I used netstat -na and found out there are some connections to external ... IPs that uses port 25. ... you think I could email you the capture ... When you run network monitor tool for the first time, ...
(microsoft.public.win2000.networking)
RE: [Full-Disclosure] strange traffic ?
... so i cannot help you there, now have configured it to log all such traffic, will come back if i manage to capture any packet data ... and the initial connect attempt on port 139 is attack vertor. ... this used to occur only when i used to bring down sygate firewall... ... there are other firewalls that prevent the comprmise and the sinffer is capturing the data.... ...
(Full-Disclosure)
Re: HOD/HACL running on z/OS?
... capture on the z/OS system if at all possible. ... How about a TCP/IP "capture" type routine? ... routine would do is LISTEN on a particular IP port. ... application to the response recorded in the file. ...
(bit.listserv.ibm-main)