Windows Port Reporter

From OSSEC Wiki

Here are log samples from the Windows Port Reporter. The description of the tool and its log files is here.

This is the Port usage log - PR-PORTS-06-11-12-0-17-42.log

Port Reporter Version 1.01 Log File - Port usage log

Check PR-PIDS-06-11-12-0-17-42.log for corresponding process data

Log format:
date,time,protocol,local port,local IP address,remote port,remote IP address,PID,module,user context

06/11/12,12:30:12,UDP,4515,127.0.0.1,*,*,748,svchost.exe,<NT AUTHORITY\SYSTEM>
06/11/12,12:30:40,UDP,4513,192.119.19.1,*,*,748,svchost.exe,<NT AUTHORITY\SYSTEM>
06/11/12,12:30:54,UDP,4514,192.119.83.1,*,*,748,svchost.exe,<NT AUTHORITY\SYSTEM>
06/11/12,12:31:21,TCP,2869,0.0.0.0,,0.0.0.0,1256,svchost.exe,<NT AUTHORITY\LOCAL SERVICE>
06/11/12,12:31:24,TCP,139,170.32.55.8,,0.0.0.0,4,System,
06/11/12,12:31:24,TCP,4557,170.32.55.8,80,128.52.249.104,1496,ccProxy.exe,<NT AUTHORITY\SYSTEM>
06/11/12,12:31:26,TCP,4559,170.32.55.8,80,139.138.235.8,1496,ccProxy.exe,<NT AUTHORITY\SYSTEM>
06/11/12,12:31:34,TCP,1027,127.0.0.1,4556,127.0.0.1,1496,ccProxy.exe,<NT AUTHORITY\SYSTEM>
06/11/12,12:31:40,TCP,1027,127.0.0.1,4558,127.0.0.1,1496,ccProxy.exe,<NT AUTHORITY\SYSTEM>
06/11/12,12:31:45,TCP,4556,127.0.0.1,1027,127.0.0.1,748,svchost.exe,<NT AUTHORITY\SYSTEM>
06/11/12,12:31:57,TCP,4558,127.0.0.1,1027,127.0.0.1,748,svchost.exe,<NT AUTHORITY\SYSTEM>
06/11/12,12:32:5,TCP,2869,192.119.1.8,1079,192.119.1.138,0,System Idle,
06/11/12,12:32:5,TCP,2869,192.119.1.8,1080,192.119.1.138,0,System Idle,
06/11/12,12:32:5,TCP,2869,192.119.1.8,1081,192.119.1.138,0,System Idle,
06/11/12,12:32:8,TCP,4561,170.32.55.8,80,139.46.211.124,1496,ccProxy.exe,<NT AUTHORITY\SYSTEM>
06/11/12,12:32:14,TCP,4571,170.32.55.8,80,195.142.228.136,0,System Idle,
06/11/12,12:32:17,TCP,4575,170.32.55.8,80,211.73.177.115,0,System Idle,
06/11/12,12:32:20,TCP,4577,170.32.55.8,443,128.52.249.118,3640,firefox.exe,<XYLAR\nomad>
06/11/12,12:32:21,TCP,4585,170.32.55.8,80,195.142.228.136,0,System Idle,
06/11/12,12:32:21,TCP,4587,170.32.55.8,80,195.142.228.136,0,System Idle,
06/11/12,12:32:21,TCP,4588,170.32.55.8,80,139.138.234.114,1496,ccProxy.exe,<NT AUTHORITY\SYSTEM>
06/11/12,12:32:21,TCP,1027,127.0.0.1,4560,127.0.0.1,1496,ccProxy.exe,<NT AUTHORITY\SYSTEM>
06/11/12,12:32:22,TCP,1027,127.0.0.1,4579,127.0.0.1,0,System Idle,
06/11/12,12:32:22,TCP,1027,127.0.0.1,4583,127.0.0.1,1496,ccProxy.exe,<NT AUTHORITY\SYSTEM>
06/11/12,12:32:24,TCP,1027,127.0.0.1,4591,127.0.0.1,1496,ccProxy.exe,<NT AUTHORITY\SYSTEM>
06/11/12,12:32:29,TCP,4560,127.0.0.1,1027,127.0.0.1,748,svchost.exe,<NT AUTHORITY\SYSTEM>
06/11/12,12:32:36,TCP,4568,127.0.0.1,1027,127.0.0.1,0,System Idle,
06/11/12,12:32:36,TCP,4570,127.0.0.1,1027,127.0.0.1,0,System Idle,
06/11/12,12:32:37,TCP,4574,127.0.0.1,1027,127.0.0.1,0,System Idle,
06/11/12,12:32:37,TCP,4581,127.0.0.1,1027,127.0.0.1,0,System Idle,
06/11/12,12:32:38,TCP,4583,127.0.0.1,1027,127.0.0.1,3640,firefox.exe,<XYLAR\nomad>
06/11/12,12:32:44,TCP,4584,127.0.0.1,1027,127.0.0.1,0,System Idle,
06/11/12,12:32:47,TCP,4586,127.0.0.1,1027,127.0.0.1,0,System Idle,
06/11/12,12:32:51,TCP,4589,127.0.0.1,1027,127.0.0.1,0,System Idle,
06/11/12,12:32:52,TCP,4591,127.0.0.1,1027,127.0.0.1,3640,firefox.exe,<XYLAR\nomad>
06/11/12,12:32:53,TCP,4592,170.32.55.8,80,195.142.228.136,0,System Idle,
06/11/12,12:32:53,TCP,4598,170.32.55.8,80,139.138.234.107,1496,ccProxy.exe,<NT AUTHORITY\SYSTEM>
06/11/12,12:32:53,TCP,4604,170.32.55.8,80,139.138.234.96,1496,ccProxy.exe,<NT AUTHORITY\SYSTEM>
06/11/12,12:32:53,TCP,4605,170.32.55.8,80,139.138.234.96,1496,ccProxy.exe,<NT AUTHORITY\SYSTEM>
06/11/12,12:32:54,TCP,4606,170.32.55.8,80,195.142.228.136,0,System Idle,
06/11/12,12:32:58,TCP,1027,127.0.0.1,4593,127.0.0.1,0,System Idle,
06/11/12,12:33:3,TCP,1027,127.0.0.1,4597,127.0.0.1,1496,ccProxy.exe,<NT AUTHORITY\SYSTEM>
06/11/12,12:33:7,TCP,1027,127.0.0.1,4601,127.0.0.1,1496,ccProxy.exe,<NT AUTHORITY\SYSTEM>
06/11/12,12:33:7,TCP,1027,127.0.0.1,4602,127.0.0.1,1496,ccProxy.exe,<NT AUTHORITY\SYSTEM>
06/11/12,12:33:7,TCP,4595,127.0.0.1,1027,127.0.0.1,0,System Idle,
06/11/12,12:33:7,TCP,4597,127.0.0.1,1027,127.0.0.1,3640,firefox.exe,<XYLAR\nomad>
06/11/12,12:33:8,TCP,4599,127.0.0.1,1027,127.0.0.1,0,System Idle,
06/11/12,12:33:8,TCP,4601,127.0.0.1,1027,127.0.0.1,3640,firefox.exe,<XYLAR\nomad>
06/11/12,12:33:8,TCP,4602,127.0.0.1,1027,127.0.0.1,3640,firefox.exe,<XYLAR\nomad>
06/11/12,12:33:8,TCP,4603,127.0.0.1,1027,127.0.0.1,0,System Idle,
06/11/12,12:33:8,TCP,4607,127.0.0.1,1027,127.0.0.1,0,System Idle,
06/11/12,12:33:11,TCP,4609,170.32.55.8,443,139.46.211.124,748,svchost.exe,<NT AUTHORITY\SYSTEM>
06/11/12,12:33:25,TCP,4611,170.32.55.8,80,139.138.235.8,1496,ccProxy.exe,<NT AUTHORITY\SYSTEM>
06/11/12,12:33:25,TCP,1027,127.0.0.1,4610,127.0.0.1,1496,ccProxy.exe,<NT AUTHORITY\SYSTEM>
06/11/12,12:33:25,TCP,4610,127.0.0.1,1027,127.0.0.1,748,svchost.exe,<NT AUTHORITY\SYSTEM>
06/11/12,12:33:49,TCP,4613,170.32.55.8,80,216.109.118.82,1496,ccProxy.exe,<NT AUTHORITY\SYSTEM>
06/11/12,12:33:57,TCP,1027,127.0.0.1,4612,127.0.0.1,1496,ccProxy.exe,<NT AUTHORITY\SYSTEM>
06/11/12,12:33:57,TCP,4612,127.0.0.1,1027,127.0.0.1,3640,firefox.exe,<XYLAR\nomad>
06/11/12,12:33:58,TCP,4619,170.32.55.8,80,139.138.234.121,1496,ccProxy.exe,<NT AUTHORITY\SYSTEM>
06/11/12,12:33:58,TCP,4621,170.32.55.8,80,195.142.228.136,0,System Idle,
06/11/12,12:33:58,TCP,4623,170.32.55.8,80,139.138.234.107,1496,ccProxy.exe,<NT AUTHORITY\SYSTEM>
06/11/12,12:33:58,TCP,4625,170.32.55.8,80,139.138.234.107,1496,ccProxy.exe,<NT AUTHORITY\SYSTEM>
06/11/12,12:33:59,TCP,4627,170.32.55.8,80,211.73.186.238,1496,ccProxy.exe,<NT AUTHORITY\SYSTEM>
06/11/12,12:33:59,TCP,1027,127.0.0.1,4614,127.0.0.1,0,System Idle,
06/11/12,12:33:59,TCP,1027,127.0.0.1,4616,127.0.0.1,0,System Idle,
06/11/12,12:33:59,TCP,1027,127.0.0.1,4618,127.0.0.1,1496,ccProxy.exe,<NT AUTHORITY\SYSTEM>
06/11/12,12:33:59,TCP,1027,127.0.0.1,4622,127.0.0.1,1496,ccProxy.exe,<NT AUTHORITY\SYSTEM>
06/11/12,12:33:59,TCP,1027,127.0.0.1,4624,127.0.0.1,1496,ccProxy.exe,<NT AUTHORITY\SYSTEM>
06/11/12,12:33:59,TCP,1027,127.0.0.1,4626,127.0.0.1,1496,ccProxy.exe,<NT AUTHORITY\SYSTEM>
06/11/12,12:34:4,TCP,4618,127.0.0.1,1027,127.0.0.1,3640,firefox.exe,<XYLAR\nomad>

Samples of the other log files associated with the tool (PR-INITIAL-*.log and PR-PIDS-*.log) are on the Microsoft Site that was linked to at the top of the page.

Some suggestions on possible usage:

  Identifying network connections to suspicious ports (eg. known trojan or malware ports).

  Detecting anomolous network connections ie. baselining the system to learn typical connection
  behaviour, then alerting on things not seen before (first time seeing a service listening or
  being connected to, first time seeing a service/application running under a particular user
  context etc.)

  Correlate with syscheck to identify changes to files (or creation of new files) followed by
  new modules being loaded or connections made to ports opened by those changed or new files.

Retrieved from "http://ossec.net/wiki/index.php/Windows_Port_Reporter"

From OSSEC Wiki

Views

Personal tools

Navigation

Documentation

Search