Re: Audit Account Logon Events, Client IP address incorrect?
From: ptwilliams (ptw2001_at_hotmail.com)
Date: 12/22/04
- Next message: Em4mary: "Re: Windows AD 2003 Internal Processing error"
- Previous message: John Rosenlof: "Re: Forcfully (manually) removing a domain"
- In reply to: Herb Martin: "Re: Audit Account Logon Events, Client IP address incorrect?"
- Next in thread: Herb Martin: "Re: Audit Account Logon Events, Client IP address incorrect?"
- Reply: Herb Martin: "Re: Audit Account Logon Events, Client IP address incorrect?"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 22 Dec 2004 00:08:09 -0000
Sorry for the delay Herb - I lost the post! Until I read this post I didn't
know what Snort was -and still only have a vague idea! I figured that a
veteran such as yourself, with many programming languages under his belt
could whip up a nice, free tool for the community -just like Joe's oldcmp or
something <g>.
I'd be sure to give it a go; although most of out clients are quite big and
we have certified network detectives, etc. so wouldn't utilise it as much as
some of the people on here with smaller environments...
> Do you run Snort and Perl? Would you run them if this worked?
No. I just started playing with VBScript and was considering Perl sometime
next year. Is it worth it?
-- Paul Williams http://www.msresource.net http://forums.msresource.net "Herb Martin" <news@LearnQuick.com> wrote in message news:uF%23gE5t4EHA.2568@TK2MSFTNGP11.phx.gbl... "ptwilliams" <ptw2001@hotmail.com> wrote in message news:#QWFAjt4EHA.2592@TK2MSFTNGP09.phx.gbl... > > By now, I really should have written a Perl program to do that (probably > > something simple based on time > stamps would get me close.) > > Well, don't just talk about it!!! Get too it! > > And post it free for all of us when you're done ;-) > Ok, let's try a simple design and IF I have some time I will hook it up.... What sort of messages do we need to capture in Snort? (You don't have to answer but pointing me to the current docs for Kerberos and NTLM authentication and secure channel packet types would help...) 1) Find Account Logon or Logon events in event log ( I can do that.) 2) Find messages of the relevant types in Snort log 3) Filter Snort messages to plus or minus N seconds or milliseconds of each Audit event. Can that (little bit) be useful? Do you run Snort and Perl? Would you run them if this worked? Comments from PT or ANYONE welcome. Alternative: 4) Find something in Audit that can be directly matched to the Snort log.... -- Herb Martin > > -- > > Paul Williams > > http://www.msresource.net > http://forums.msresource.net > > > "Herb Martin" <news@LearnQuick.com> wrote in message > news:OOtq2ws4EHA.3368@TK2MSFTNGP10.phx.gbl... > "Lori" <Lori@discussions.microsoft.com> wrote in message > news:DBB04A1E-77B7-4E36-9D01-6F7277131B4C@microsoft.com... > > Thanks Herb! Now I at least have an explanation for the "powers that be" > > when they look at the logs. > > The next step is to run an IDS (Intrusion Detection > System) but that is a LOT of work UNLESS you will > actively read and use the logs. > > I hope someone will pipe in here and suggest a way > to match Snort (a free IDS) logs with Windows logs. > > By now, I really should have written a Perl program > to do that (probably something simple based on time > stamps would get me close.) > > > -- > Herb Martin > > > > > > Lori > > > > "Herb Martin" wrote: > > > > > "Lori" <Lori@discussions.microsoft.com> wrote in message > > > news:40C60175-847A-47F1-A829-F486907C862C@microsoft.com... > > > > Hi, > > > > > > > > We recently set up an audit policy to audit failed account logon > events > > > for > > > > our domain controllers. If I look at the logs, I can see Event ID 675 > for > > > > the failed logons. However, when I look at the detail, the Client IP > > > address > > > > does not have the address of the client, but instead the IP of one of > the > > > > domain controllers (and often not even the closest DC). For example, > I > > > > deliberately entered a bad password to log onto a client at IP > address > > > > 192.168.22.126. The Security log on the local DC showed Event ID 675 > for > > > the > > > > userID I used, but the Client IP address shows as 192.168.7.17 which > is a > > > DC > > > > at a remote location. > > > > > > > > Can anyone help me understand why this is happening? > > > > > > Probably because historically logon might happen over > > > any supported network protocol so these events never > > > included the IP address (it might not even have been IP.) > > > > > > It is sort of silly these days, but it's one of those things > > > (I believe) the developers know needs improving. > > > > > > When I have a bad logon attempt, I would much prefer > > > to know the IP address of the offender -- if he's on my > > > network I can find him with that but if he is NOT on > > > my network I have no chance of finding him by NetBIOS > > > name or some other irrelevant information. > > > > > > > > > -- > > > Herb Martin > > > > > > > > > > > > > > Thanks so much! > > > > > > > > > > > >
- Next message: Em4mary: "Re: Windows AD 2003 Internal Processing error"
- Previous message: John Rosenlof: "Re: Forcfully (manually) removing a domain"
- In reply to: Herb Martin: "Re: Audit Account Logon Events, Client IP address incorrect?"
- Next in thread: Herb Martin: "Re: Audit Account Logon Events, Client IP address incorrect?"
- Reply: Herb Martin: "Re: Audit Account Logon Events, Client IP address incorrect?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
