Monday, February 28, 2011
Collating and parsing netmon capture files
I have added a Powershell function that uses logparser to mux all the netmon capture files in a directory and list unique IPs and Ports.
Tuesday, February 15, 2011
Parsing Windows 7 Firewall Logs
I've talked quite a bit about on this blog about parsing Microsoft's Windows Firewall:
- http://thinking-about-network-security.blogspot.com/2009/07/parsing-vista-firewall-logs-part-i.html
- http://thinking-about-network-security.blogspot.com/2009/07/parsing-vista-firewall-logs-part-ii.html
- http://thinking-about-network-security.blogspot.com/2009/07/parsing-vista-firewall-logs-part-iii.html
- http://thinking-about-network-security.blogspot.com/2009/08/parsing-vista-firewall-part-iv.html
- http://thinking-about-network-security.blogspot.com/2009/08/parsing-vista-firewalls-part-v.html
- http://technet.microsoft.com/en-us/network/bb545423.aspx
- http://msdn.microsoft.com/en-us/library/aa366453(v=VS.85).aspx
- http://msdn.microsoft.com/en-us/library/ee663289(v=VS.85).aspx
- http://www.microsoft.com/downloads/en/details.aspx?FamilyId=DF192E1B-A92A-4075-9F69-C12B7C54B52B&displaylang=en
Wednesday, February 2, 2011
Get-WinEvent, EventLogs, ETL, Providers on Win7 Part II
Working with Windows Tracing (ETL) logs
This is part of ongoing research project to understand how improved tracing providers in Windows 7 can help detect the presence of malware. Microsoft has been improving event tracing for a number of years. The latest versions allows netsh to invoke multiple providers. After you have chosen your providers, you start the trace either by referencing the provider name or GUID. 'Netsh trace start' allows for keyword or capture filters, which can be useful if you know what specific events for which you need to trace. For this example, we will not create an NDIS capture ('capture=yes') nor will we select keywords or levels for the filters. After a few busy hours, this leads to quite a bit tracing.
Subscribe to:
Posts (Atom)