• ethical disclosure
  
• a tale of two log files part 1
  
• a tale of two log files part 2
  
• a tale of two log files part 3
  
• a tale of two log files final
  

• investigating malware in action
  
• investigating malware in action cont
  
• quick and dirty pgp setup for w32
  
• how to: sign a certificate request with openssl
  
• application fuzzing
  

• central secure logging in a win2k environment
  
• central secure logging in a win2k environment cont
  
• central secure logging in a win2k environment cont 2
  
• central secure logging in a win2k environment cont 3
  
• central secure logging in a win2k environment cont 4
  

• example forensics sop/procedure
  
• example forensics sop/procedure cont
  
• example forensics sop/procedure cont 2
  
• buffer overflows part one
  
• buffer overflows part two
  

• computertutorials
  
• computertutorials2
  
• securitytutorials
  
• computertutorials3
  
• computertutorials4
  
• securitytutorials2
  
• securitytutorials3
  
• securitytutorials5
  

SECURE LOGGING IN A WINDOWS 2K ENVIRONMENT CONT...

Tiger Shark from Antionline has kindly given his permission for his tutorial to be hosted at The Taz.

You can find the original post here: http://www.antionline.com/showthread.php?s=&threadid=246159

Enjoy

'Copy the file to local archive before working on it
'==========================================

Set objFSO = CreateObject("Scripting.FileSystemObject")
objFSO.CopyFile "C:\Log analysis\" & strNewName & ".txt" , "C:\Log analysis\old\"

Set WshShell = WScript.CreateObject("WScript.Shell")

Set objFSO = CreateObject("Scripting.FileSystemObject")

'Dump the Snort Logs
'=================

strFilename = strnewname & "-Snort.txt"
WshShell.run("linestrp " & strnewname & ".txt /O " & strFileName & " /FS auth.alert /q /dn"),,TRUE
Delfile

'Remove the Portscans From strNewName-Snort.txt
'========================================

strFilename = strnewname & "-Alerts.txt"
WshShell.run("linestrp " & strnewname & "-Snort.txt /O " & strFileName & " /FS portscan /q /dp"),,TRUE
Delfile

'Dump the Stealth Scans
'=================

strFilename = strnewname & "-Stealth.txt"
WshShell.run("linestrp " & strnewname & ".txt /O " & strnewname & "-Stealth.txt" & " /FS Stealth /q /dn"),,TRUE
Delfile

'Dump the Portscans
'=================

strFilename = strnewname & "-Portscan.txt"
WshShell.run("linestrp " & strnewname & ".txt /O " & strFileName & " /FS TOTAL time( /q /dn"),,TRUE
Delfile

'Dump the IPv6 Packets
'===================

strFilename = strnewname & "-IPv6.txt"
WshShell.run("linestrp " & strnewname & ".txt /O " & strFileName & " /FS ipv6 ( /q /dn"),,TRUE
Delfile

'Dump the Blocked Sites
'=================

strFilename = strnewname & "-Blocked.txt"
WshShell.run("linestrp " & strnewname & ".txt /O " & strnewname & "-Blocked.txt" & " /FS (blocked site) /q /dn"),,TRUE
Delfile

'Dump the Deny In
'=================

strFilename = strnewname & "-DenyIn.txt"
WshShell.run("linestrp " & strnewname & ".txt /O " & strnewname & "-DenyIn.txt" & " /FS Deny in /q /dn"),,TRUE
Delfile

'Dump the Deny Out
'=================

strFilename = strnewname & "-DenyOut.txt"
WshShell.run("linestrp " & strnewname & ".txt /O " & strnewname & "-DenyOut.txt" & " /FS Deny out /q /dn"),,TRUE
Delfile

'Dump the ICMP
'=================

strFilename = strnewname & "-ICMP.txt"
WshShell.run("linestrp " & strnewname & ".txt /O " & strnewname & "-ICMP.txt" & " /FS icmp /q /dn"),,TRUE
Delfile

'Dump the Fort Firewall Entries
'=================

strFilename = strnewname & "-FortFirewall.txt"
WshShell.run("linestrp " & strnewname & ".txt /O " & strnewname & "-FortFirewall.txt" & " /FS XXX.XXX.XXX.XXX /q /dn"),,TRUE
Delfile

'Dump the IIS Logs
'=================

strFilename = strnewname & "-IISLogs.txt"
WshShell.run("linestrp " & strnewname & ".txt /O " & strnewname & "-IISLogs.txt" & " /FS daemon.info /q /dn"),,TRUE
Delfile

'Dump the IIS 404's
'=================

strFilename = strnewname & "-IIS404.txt"
WshShell.run("linestrp " & strnewname & ".txt /O " & strnewname & "-IIS404.txt" & " /FS 404 /q /dn"),,TRUE
Delfile

'Dump the IIS 403's
'=================

strFilename = strnewname & "-IIS403.txt"
WshShell.run("linestrp " & strnewname & ".txt /O " & strnewname & "-IIS403.txt" & " /FS 403 /q /dn"),,TRUE
Delfile

'Dump the VPN Connections
'================================

strFilename = strnewname & "-VPN.txt"
WshShell.run("linestrp " & strnewname & ".txt /O " & strnewname & "-VPN.txt" & " /FS pptpd[ /q /dn"),,TRUE
Delfile

'Dump the VPN Bad Authentications
'================================

strFilename = strnewname & "-VPNBadAuth.txt"
WshShell.run("linestrp " & strnewname & ".txt /O " & strnewname & "-VPNBadAuth.txt" & " /FS Unable to authenticate. /q /dn"),,TRUE
Delfile

'Dump the VPN SYN Connections
'================================

strFilename = strnewname & "-VPN_SYN.txt"
WshShell.run("linestrp " & strnewname & ".txt /O " & strnewname & "-VPN_SYN.txt" & " /FS VPN SYN Connection /q /dn"),,TRUE
Delfile

'Dump the Terminal Services Connections
'================================

strFilename = strnewname & "-TermServ.txt"
WshShell.run("linestrp " & strnewname & ".txt /O " & strnewname & "-TermServ.txt" & " /FS TerminalServices /q /dn"),,TRUE
Delfile

'Dump the SSL Connections
'================================

strFilename = strnewname & "-SSL.txt"
WshShell.run("linestrp " & strnewname & ".txt /O " & strnewname & "-SSL.txt" & " /FS SSL /q /dn"),,TRUE
Delfile

'Dump the Account Lockouts
'===========================

strFilename = strnewname & "-Lockouts.txt"
WshShell.run("linestrp " & strnewname & ".txt /O " & strnewname & "-Lockouts.txt" & " /FS Account Locked out /dn /q"),,TRUE
Delfile


'Dump the XXXXXXX Logon Failures
'===========================

strFilename = strnewname & "-XXXXXXX.txt"
WshShell.run("linestrp " & strnewname & ".txt /O " & strnewname & "-XXXXXX.txt" & " /FS Failure Audit<009>XXXXX<009>Account Logon /dn /q"),,TRUE
Delfile

'Dump the NS2 Logon Failures
'===========================

strFilename = strnewname & "-NS2.txt"
WshShell.run("linestrp " & strnewname & ".txt /O " & strnewname & "-NS2.txt" & " /FS Failure Audit<009>NS2<009>Account Logon /dn /q"),,TRUE
Delfile

'Dump the MAIL Logon Failures
'===========================

strFilename = strnewname & "-MAIL.txt"
WshShell.run("linestrp " & strnewname & ".txt /O " & strnewname & "-MAIL.txt" & " /FS Failure Audit<009>MAIL<009>Account Logon /dn /q"),,TRUE
Delfile

'Dump the XXXPC Logon Failures
'===========================

strFilename = strnewname & "-XXXPC.txt"
WshShell.run("linestrp " & strnewname & ".txt /O " & strnewname & "XXXPC.txt" & " /FS Failure Audit<009>NS2<009>Account Logon /dn /q"),,TRUE
Delfile

'Dump the XXXBU Logon Failures
'===========================

strFilename = strnewname & "XXXBU.txt"
WshShell.run("linestrp " & strnewname & ".txt /O " & strnewname & "-XXXBU.txt" & " /FS Failure Audit<009>NS2<009>Account Logon /dn /q"),,TRUE
Delfile


'Dump the CANFPC Logon Failures
'===========================

strFilename = strnewname & "-CANFPC.txt"
WshShell.run("linestrp " & strnewname & ".txt /O " & strnewname & "-CANFPC.txt" & " /FS Failure Audit<009>CANFPC<009>Account Logon /dn /q"),,TRUE
Delfile

'Dump the FORTPC Logon Failures
'===========================

strFilename = strnewname & "-FORTPC.txt"
WshShell.run("linestrp " & strnewname & ".txt /O " & strnewname & "-FORTPC.txt" & " /FS Failure Audit<009>FORTPC<009>Account Logon /dn /q"),,TRUE
Delfile 

Original Tutorial Submitted by nokia for TheTAZZone-TAZForum

Originally posted on March 4th, 2006 here

Do not use, republish, in whole or in part, without the consent of the Author. TheTAZZone policy is that Authors retain the rights to the work they submit and/or post...we do not sell, publish, transmit, or have the right to give permission for such...TheTAZZone merely retains the right to use, retain, and publish submitted work within it's Network.