Re: Port & Executable Monitoring & Logging

[Ansgar Wiechers <bugtraq () planetcobalt net>]

On 2011-06-23 Michael Painter wrote:
> On Jun 21, 2011, at 12:54 PM, jstemp105 () gmail com wrote:
> > I have been working with the IPS systems within my corporate
> > workplace and we have noticed some strange activity where a virtual
> > Windows file server is attempting to connect to workstations, on the
> > same subnet, through local TCP port 88.  The IPS systems that we
> > have in place on the workstations in our organization are detecting
> > these connections and is blocking them by considering them port
> > scans.  The connections are incoming from the file server to the
> > workstations.
> >
> > Placing a packet capture on the network and server did no good as
> > the workstations blocked them and the workstations that didn't block
> > the connections would only reply with a reset flag.
> >
> > These connections happen at the most sporadic times ranging anywhere
> > throughout the day or night.  We would like to put a program on the
> > server that will monitor for executables and what port they run on
> > or open up.  This program must be able to log the instances and be
> > able to filter what ports are being monitored.  Does anyone know of
> > any software programs that will run on Server 2008 and have the
> > above stated capabilities?
>
> I'd give MSofts Port Reporter and its Parser a try:
> Overview
> The Port Reporter tool logs TCP and UDP port activity. The tool is a
> small program that runs as a service on a computer that is running
> Windows Server 2003, Windows XP, or Windows 2000.
>
> On Windows Server 2003 and on Windows XP-based computers, the service
> can log the following information:
>  a.. The ports that are used
>  b.. The processes that use the port
>  c.. Whether a process is a service
>  d.. The modules that a process loaded
>  e.. The user accounts that run a process

URL: http://support.microsoft.com/kb/837243

I second Port Reporter. However, if the OP wants something that doesn't
require installation and can be run interactively , Process Monitor [1]
might be another option.

One could also use Wireshark [2] or Network Monitor [3] to analyze the
packets. Or at least hook something like netcat [4] to port 88/tcp on some
clients and see what the server actually tries to send (of course the
clients will respond with TCP-RST if there's not listening socket on
that port).

[1] http://technet.microsoft.com/en-us/sysinternals/bb896645
[2] http://www.wireshark.org/
[3] http://support.microsoft.com/kb/933741
[4] http://joncraton.org/blog/netcat-for-windows

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------