RE: process trackingMar 28 2004 02:50AM Robert Blackwell (robert snrdesigns com) (1 replies)
This would not help for existing event logs but for future use try using
Snare to generate syslog messages to feed into KIWI Syslog and set up
filters from there to trap what you are interested in. Based on that, you
could generate an email for a critical event or just dump into a SQL
database for generating reports. This would allow you to monitor all of you
servers.
Robert
-----Original Message-----
From: Joanna Rutkowska [mailto:joanna (at) mailsnare (dot) net [email concealed]]
Sent: Friday, March 26, 2004 5:21 AM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: process tracking
Hi,
does anybody know a good tool for analyzation of process tracking event
log messages (id 592 and 593) in windows 2000/2003? but please do not tell
me about:
since it is very lame (parsing the resulted file in Excel for example is
very problematic). I would like to have the report, which would display:
1) the names of all the processes ever run in the system.
2) for each process form point 1, I would like to see *how* it was
created, i.e. by which parent processes. this is IMO extremely important
for discovering things like cmd.exe started by sqlserv.exe for example,
which is the obvious sign of some simple shellcodes.
I have spent some time researching process hiding techniques (aka
rootkits), some smart ways of discovering these hidden processes, and
another methods of better hiding, etc... however, I realized, that maybe
this all hide and seek game is not necessary, since windows admins seem to
not have any good tool for accounting even unhidden processes...
Protect your network against hackers, viruses, spam and other risks with
Astaro Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost
of ownership.
Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_focus-ms_040301
------------------------------------------------------------------------
---
Protect your network against hackers, viruses, spam and other risks with
Astaro Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost
of ownership.
Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_focus-ms_040301
------------------------------------------------------------------------
---
Snare to generate syslog messages to feed into KIWI Syslog and set up
filters from there to trap what you are interested in. Based on that, you
could generate an email for a critical event or just dump into a SQL
database for generating reports. This would allow you to monitor all of you
servers.
Robert
-----Original Message-----
From: Joanna Rutkowska [mailto:joanna (at) mailsnare (dot) net [email concealed]]
Sent: Friday, March 26, 2004 5:21 AM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: process tracking
Hi,
does anybody know a good tool for analyzation of process tracking event
log messages (id 592 and 593) in windows 2000/2003? but please do not tell
me about:
dumpel -f procs.txt -e 592 593 -m security -l security
since it is very lame (parsing the resulted file in Excel for example is
very problematic). I would like to have the report, which would display:
1) the names of all the processes ever run in the system.
2) for each process form point 1, I would like to see *how* it was
created, i.e. by which parent processes. this is IMO extremely important
for discovering things like cmd.exe started by sqlserv.exe for example,
which is the obvious sign of some simple shellcodes.
I have spent some time researching process hiding techniques (aka
rootkits), some smart ways of discovering these hidden processes, and
another methods of better hiding, etc... however, I realized, that maybe
this all hide and seek game is not necessary, since windows admins seem to
not have any good tool for accounting even unhidden processes...
regards,
joanna.
------------------------------------------------------------------------
---
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security
Protect your network against hackers, viruses, spam and other risks with
Astaro Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost
of ownership.
Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_focus-ms_040301
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security
Protect your network against hackers, viruses, spam and other risks with
Astaro Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost
of ownership.
Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_focus-ms_040301
------------------------------------------------------------------------
---
[ reply ]