Tuesday, February 15, 2011

Parsing Windows 7 Firewall Logs

I've talked quite a bit about on this blog about parsing Microsoft's Windows Firewall
There are a number of Microsoft sites with more information on Windows Firewall:
This is the report output of two scripts (1, 2) designed to help suggest a "Windows Firewall Log Parsing" Framework.





There are several issues with parsing information from Windows Firewall logs:
  1. Windows Firewall is one of three native sources of network data offered by Microsoft, the other two being Network Monitor and ETL (Kernel TCP/IP and NDIS Capture)Tracing,
  2. Windows Firewall must be configured for complete logging and the logging file rotates only one file (*.old) by default.
  3. The log file can be exceptionally large depending on configuration.
Processing the 'pfirewall.log'[1] with Powershell was a lengthly affair until multi-core processors and  V2. These two scripts (12) , one which uses only Powershell and the other which depends upon Microsoft's logparser2.2, could serve as templates for further processing and analysis. The next step would be to develop a series of rulesets that would parse and count the unique results for ' anomalous' activity. What kind of rule-sets? Here are some thoughts:

  1.  A comparison of destination IPs to the external Firewall 'Block' list.
  2. A comparison of destination or source IPs to the ISCs (daily list) of top 100 IPs.
  3. A comparison of destination or source IPs to the "Stop Badware" database.
  4. A subset of IPs known as business competitors.
  5. A chronology of outbound activity on "known suspect" ports.
  6. A chronology of outbound activity on "known good" ports used for suspect activity.
  7. A chronology of outbound activity on either "known good" or "known suspect ports" to targets that are not part of "previously known profile" for those ports.
Additional rulesets could be developed based on 'tuple' analysis. For example, given the following ordered set:
'DROP UDP 192.168.0.15 255.255.255.255 68 67 RECEIVE'

  • Would it be expected behavior for the srcIP ("192.168.0.15") to RECEIVE data from the dstIP ("255.255.255.255")?
  • Would it be expected behavior for the srcIP ("192.168.0.15") to RECEIVE data from the dstIP ("255.255.255.255") on dstPort ("68")?
  • What is the expected 'action' for either case? (e.g. DROP or ALLOW)?
For now, I leave this as an exercise for the user. Also I will leave as an exercise for the user any 'vissec' presentations of this data.. Powershell V2 and Logparser 2.2 are the engines for these scripts, but other data mining techniques (PERL, GAWK, T-SQL, etc) could be more scaleable and useful. Powershell has the advantage of being (1) native to Windows 7, (2) configurable for remote invocation of scripts, (3) configurable as domain based scripting. 

[1] By default located at 'C:\Windows\System32\LogFiles\Firewall\pfirewall.log'


1 comment: