Re: How to audit logons from external IP's?
From: Joe Richards [MVP] (humorexpress@hotmail.com)
Date: 11/12/02
- Next message: John McCoy: "Re: certificate revocation doesn't work"
- Previous message: x y: "how can I find out the adminstrator password"
- In reply to: Per Hagstrom: "Re: How to audit logons from external IP's?"
- Next in thread: Per Hagstrom: "Re: How to audit logons from external IP's?"
- Reply: Per Hagstrom: "Re: How to audit logons from external IP's?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Joe Richards [MVP]" <humorexpress@hotmail.com> Date: Tue, 12 Nov 2002 14:32:20 -0500
Again this is where an IDS tool such as Snort could come in handy, you don't
have to look at everything, it has patterns built in and you can add more if
you want.
Capturing and decoding TS traffic will be a pain as it is all RPC/RDP
traffic.
-- Joe Richards www.joeware.net --- "Per Hagstrom" <poh@Kendall-Davis.com> wrote in message news:Op4HypbiCHA.1868@tkmsftngp12... > Maybe a good idea.. thanks! > Um.. I've never used that tool.. just started it up.. and yikes! That's a > complicated piece of software.. I don't understand much of it so far.. > Could I get a little help getting it started? > To just run a raw capture, captures a LOT of data I can tell.. so.. how > would I use it to capture logon errors and maybe use the trigger in there to > start the capture.. ? > > I did a raw test capture of me trying to login through Terminal Server with > wrong password.. but.. not much readable things i could get out of that > data.. only thing I could see was that there was at least a 3389 port > connection.. heh.. ! > > > Thanks a lot! > > / Per Hagstrom > > > "Too Hot" <mungedtodeath@anon.con> wrote in message > news:_VPz9.213$RS7.3308585@news-text.cableinet.net... > > Per Hagstrom wrote: > > : Well.. I've been trying to figure out my own solution instead... but > > : I'm not coming up with something that is fully functional... maybe > > : somebody else could work this out with me. > > : > > : My idea was to use the Performance Monitor to trigger the Alert, Logon > > : Errors, under Server. > > : And then that this Alert would start the batch file that runs this > > : line: NETSTAT -an | FIND "ESTABLISHED" >> C:\log.txt > > > > How about firing up network monitor to capture the complete packets? You > > get it all, ports n all :) > > > > > >
- Next message: John McCoy: "Re: certificate revocation doesn't work"
- Previous message: x y: "how can I find out the adminstrator password"
- In reply to: Per Hagstrom: "Re: How to audit logons from external IP's?"
- Next in thread: Per Hagstrom: "Re: How to audit logons from external IP's?"
- Reply: Per Hagstrom: "Re: How to audit logons from external IP's?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
