Wednesday, July 22, 2009

Parsing Vista Firewall Logs: Part I

These are the fields Vista HP logs for C:\Windows\System32\LogFiles\Firewall\pfirewall.log:

#Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path

The Log meanders along like as below. Note the IPv6 broadcasts:
...
2009-07-22 08:15:00 ALLOW TCP 192.168.0.11 74.125.95.139 53218 80 0 - 0 0 0 - - - SEND
2009-07-22 08:25:21 ALLOW UDP 192.168.0.8 192.168.0.255 137 137 0 - - - - - - - RECEIVE
2009-07-22 08:25:21 ALLOW UDP 192.168.0.8 192.168.0.255 137 137 0 - - - - - - - RECEIVE
2009-07-22 08:25:31 ALLOW UDP 192.168.0.8 192.168.0.255 138 138 0 - - - - - - - RECEIVE
2009-07-22 08:26:20 ALLOW UDP ::1 ::1 62537 62537 0 - - - - - - - SEND
2009-07-22 08:26:20 DROP UDP 192.168.0.11 192.168.0.1 65300 53 0 - - - - - - - SEND
2009-07-22 08:28:15 ALLOW UDP ::1 ff02::c 54218 3702 0 - - - - - - - SEND
2009-07-22 08:28:15 ALLOW UDP ::1 ff02::c 54218 3702 0 - - - - - - - RECEIVE
2009-07-22 08:28:15 ALLOW UDP ::1 ff02::c 54218 3702 0 - - - - - - - RECEIVE
2009-07-22 08:28:15 ALLOW UDP fe80::2c20:349c:3f57:fff4 ff02::c 54218 3702 0 - - - - - - - SEND
2009-07-22 08:28:47 DROP UDP 192.168.0.11 192.168.0.1 52197 53 0 - - - - - - - SEND
...

Without pcregrep, grep, gawk, awk, uniq, [unix] sort, gnuplot, etc...parsing is problematic from the native windows cmd shell. The batch below works some magic, but we will need logparser.exe and/or powershell (or GNUWin32 or Cygwin) to do better faster parsing magic:

[ParseIPAllowSort.cmd]

findstr ALLOW pfirewall.log > Allowed.txt
for /f "tokens=1-8" %%a in (Allowed.txt) do @echo %%f %%h ^<^- %%e %%g %%a %%b >> AllowIP.txt
sort /r AllowIP.txt > SortAllowIP.txt

[output]
...
99.31.167.59 57604 <- 192.168.0.11 28656 2009-07-20 17:41:09
99.247.53.140 53591 <- 192.168.0.11 28656 2009-07-21 20:10:00
99.245.94.5 23791 <- 192.168.0.11 28656 2009-07-21 20:10:00
99.239.214.107 39950 <- 192.168.0.11 28656 2009-07-21 20:10:00
99.235.142.40 50446 <- 192.168.0.11 28656 2009-07-21 20:10:00
99.233.190.117 443 <- 192.168.0.11 28656 2009-07-21 20:10:00
99.172.37.127 38445 <- 192.168.0.11 28656 2009-07-20 18:21:45
98.28.36.109 36940 <- 192.168.0.11 28656 2009-07-21 20:10:00
98.28.36.109 36940 <- 192.168.0.11 28656 2009-07-20 20:44:03
98.28.36.109 36940 <- 192.168.0.11 28656 2009-07-20 19:23:52
98.28.36.109 36940 <- 192.168.0.11 28656 2009-07-20 18:21:27
98.28.188.233 25431 <- 192.168.0.11 28656 2009-07-20 17:48:08
98.249.81.221 10969 <- 192.168.0.11 28656 2009-07-21 08:46:43
98.249.81.221 10969 <- 192.168.0.11 28656 2009-07-20 21:39:58

.....

If we launch a scan against my host:

nmap -p 1-65535 -PN ScanTarget

Windump.exe with the latest Winpcap driver is very busy trying to log evey attempt:

C:\Users\admin\Documents\Downloads>windump -vvveXX -s 0 -i 1
windump: listening on \Device\NPF_{0F82FB9D-391A-4293-9D7A-215F53E05FAE}
21:59:20.361046 00:0f:b0:fd:44:2d (oui Unknown) > 00:1d:ba:8a:dc:28 (oui Unknown), ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 41, id 3782, off
set 0, flags [none], proto: TCP (6), length: 44) ScanHost.36950 > ScanTarget.11165: S, cksum 0x2072 (correct), 4211909807:4211909807(0) win 2048
0>
0x0000: 001d ba8a dc28 000f b0fd 442d 0800 4500 .....(....D-..E.
0x0010: 002c 0ec6 0000 2906 6f02 0a00 0003 0a00 .,....).o.......
0x0020: 0002 9056 2b9d fb0c a4af 0000 0000 6002 ...V+.........`.
0x0030: 0800 2072 0000 0204 05b4 0000 ...r........

.....

Vista Firewall apparently logs some attempts (perhaps enough to show a scanning pattern) and then drops the rest from the log. The packets kept look like this:
...
2009-07-21 21:48:12 DROP TCP 10.0.0.3 10.0.0.2 36950 445 44 S 4211909807 0 2048 - - - RECEIVE
2009-07-21 21:48:12 DROP TCP 10.0.0.3 10.0.0.2 36950 139 44 S 4211909807 0 3072 - - - RECEIVE
2009-07-21 21:48:13 DROP TCP 10.0.0.3 10.0.0.2 36951 139 44 S 4211975342 0 4096 - - - RECEIVE
2009-07-21 21:48:13 DROP TCP 10.0.0.3 10.0.0.2 36951 445 44 S 4211975342 0 4096 - - - RECEIVE
2009-07-21 21:48:13 DROP TCP 10.0.0.3 10.0.0.2 36950 135 44 S 4211909807 0 3072 - - - RECEIVE
2009-07-21 21:48:13 DROP TCP 10.0.0.3 10.0.0.2 36951 135 44 S 4211975342 0 4096 - - - RECEIVE
....

No comments:

Post a Comment