Senin, 30 April 2012

Get-Winevent Part IV: Querying the Event Log for 'Filtering Platform Connection' Information (Part A)


The command:

'auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable'

enables the "Filtering Platform Connection" security counter on Windows 7. The "Filtering Platform Connection" gives your event logs access to the following counters:

Filtering Platform Connection           Success and Failure

  • Object Access Filtering Platform Connection 5150 The Windows Filtering Platform has blocked a packet. Windows 7, Windows Server 2008 R2
  • Object Access Filtering Platform Connection 5151 A more restrictive Windows Filtering Platform filter has blocked a packet. Windows 7, Windows Server 2008 R2
  • Object Access Filtering Platform Packet Drop 5152 The Windows Filtering Platform blocked a packet. Windows Vista, Windows Server 2008
  • Object Access Filtering Platform Packet Drop 5153 A more restrictive Windows Filtering Platform filter has blocked a packet. Windows Vista, Windows Server 2008
  • Object Access Filtering Platform Connection 5154 The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. Windows Vista, Windows Server 2008
  • Object Access Filtering Platform Connection 5155 The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. Windows Vista, Windows Server 2008
  • Object Access Filtering Platform Connection 5156 The Windows Filtering Platform has allowed a connection. Windows Vista, Windows Server 2008
  • Object Access Filtering Platform Connection 5157 The Windows Filtering Platform has blocked a connection. Windows Vista, Windows Server 2008
  • Object Access Filtering Platform Connection 5158 The Windows Filtering Platform has permitted a bind to a local port. Windows Vista, Windows Server 2008
  • Object Access Filtering Platform Connection 5159 The Windows Filtering Platform has blocked a bind to a local port. Windows Vista, Windows Server 2008
This script, which uses some Powershell 3.0 features, produces the output far below (abbreviated) by parsing the output from EventID 5156 ("allowed connection"). The loops are structured to allow 'findstr' to dig out 'subfield' information. 'Select -unique' functions to find unique addresses (or ports):

[array]$a=Get-WinEvent -FilterHashTable @{LogName='Security';ID=5156;StartTime=$StartTime}
$UDA_count=$a.count
[array[]]$b=$a.Message | findstr 'Destination' | findstr 'Address'
$Global:UDestAddress=($b | Select -unique) | sort

The script takes an extremely long time to run on my five core laptop. These scripts (1,2) are optimized a bit more to search for only 5156 Events. The global variables in the script would be suitable for parsing against lists of allowed ports, allowed or blocked IPs. The Script can be used as a format for other counters as well. Several features from Powershell 3.0 are used in this script including the ability of Powershell 3.0 to 'automatically unroll' an entire array for a certain property (e.g. '[array[]]$b=$a.Message'). I could dearly use a much faster Powershell method to dig 'subfield' information out of the Message field than double piping that information to 'findstr'. The issue is that a single day of network activity generates ten of thousands of kernel security counters.  An alternative to limit the amount of information returned might be to use the '-max' [number of events] parameter:


#[per day]:
$StartTime=(Get-Date) - (New-TimeSpan -Day $days_from_now)
[array]$a=Get-WinEvent -FilterHashTable @{LogName='Security';ID=5156;StartTime=$StartTime}


#[per event]
[array]$a=Get-WinEvent -FilterHashTable @{LogName='Security';ID=5156} -max 1000

$count=$a.count
$StartTime=($a[($count) - 1].TimeCreated)



It should also be pointed out that the ID 'filterhashtable' parameter will take a range as so:

$a=Get-WinEvent -FilterHashTable @{LogName='Security';ID=@(5150..5159)}

Sample output from this script specific to Event ID 5156:

PS C:\ps1> get-5156 100000
Count of Unique EventIDs, Destination Address, Source Address, Destination Ports from 04/30/2012 21:19:32 :
 1 Unique Event IDs out of 336
 26 Destination Addresses out of 336
 4 Source Addresses out of 336
 13 Destination Ports out of 336

EventIDs:
5156

DestinationAddress:
10.10.10.1
127.0.0.1
173.194.33.11
173.194.33.15
173.194.33.40
173.194.33.57
173.194.33.6
173.194.33.9
173.194.79.139
173.194.79.191
192.168.0.1
192.168.0.11
192.168.0.255
255.255.255.255
65.55.87.153
74.125.127.106
74.125.127.191
74.125.127.95
74.125.127.99
74.125.224.102
74.125.224.139
74.125.224.69
74.125.224.72
74.125.224.79
74.125.224.96
85.13.200.108

SourceAddress:
127.0.0.1
192.168.0.11
192.168.0.255
239.255.255.250

SourcePort:
7
8
500
00
3
152
4

995
010
330
404

0 komentar:

Posting Komentar