• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 238
  • Last Modified:

Network Connections

Is there a way to keep a log file of network connections throughout the day and receive notifications when I receive a connection from certain hosts?
0
Jon2418
Asked:
Jon2418
  • 3
3 Solutions
 
TriviousCommented:
Wireshark . . . . its a packet sniffer you could use to monitor just your IP, but the logs would get huge from so much traffic. Have you watched event viewer? There is a security section to see failed logons and such.
0
 
Rich RumbleSecurity SamuraiCommented:
Event viewer would be best... here are a series of sample scripts you could run, the notification part isn't built in if your running these on another computer, but it could be adapted easily enough to send a "net use" or possibly an email.
http://www.microsoft.com/technet/scriptcenter/resources/qanda/oct04/hey1026.mspx
http://www.microsoft.com/technet/scriptcenter/resources/qanda/apr08/hey0421.mspx
http://www.microsoft.com/technet/scriptcenter/resources/qanda/feb07/hey0226.mspx
http://www.microsoft.com/technet/scriptcenter/resources/qanda/aug05/hey0816.mspx
http://www.microsoft.com/technet/scriptcenter/resources/qanda/apr05/hey0404.mspx
However, first you must enable auditing of file/folder access... then specify the files or folders you want to watch, heres how you do that: http://support.microsoft.com/kb/310399

Or try the sysinternals apps from M$
http://technet.microsoft.com/en-us/sysinternals/bb897544.aspx This should be able to dump certain events.
The whole suite: http://download.sysinternals.com/Files/SysinternalsSuite.zip
-rich
0
 
Rich RumbleSecurity SamuraiCommented:
Stupid me!! Haha, I love using KIWI syslog... I must be more tired than I thought ;)
http://www.kiwisyslog.com/products/
-rich
0
 
Jon2418Author Commented:
I downloaded Kiwi but do not understand how you would use it to detect an unwelcome listener.  Is there a way to have it sweep the ports every so often for listeners?
0
 
Rich RumbleSecurity SamuraiCommented:
kiwi is an event log parser and alerter. When certain events are logged, this tool will automatically alert you to the event's you specify are of interest. You must have events your curious about logged, which usually means you have to turn on more logging than the default windows logging settings. Authentication success/failure is logged typically by default. If your interested in when someone accesses a certain share or file perhaps, you need to turn up the logging features and also configure those files and or folders. Here is a M$ KB article on how to do this on share/folder access: http://support.microsoft.com/kb/310399 http://technet2.microsoft.com/windowsserver/en/library/ecf63dcf-17e7-4279-91ff-beb11bd0d6881033.mspx?mfr=true

Snare is also a popular event log alerting software: http://www.intersectalliance.com/projects/SnareWindows/index.html
It may meet your requirements, as it has a nice filter option so you could look for specific usernames: http://www.intersectalliance.com/projects/SnareWindows/obj_edit.png
-rich
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now