Port Reporter Tools
Tim Rains let me know that they posted a Port Reporter Parser utility to the Microsoft Download Center. The Port Reporter Parser Utility makes it much easier to review your port reporter logs. There's a bunch of stuff to look at if you're interested in using these tools, so I'll list them out here:
Here are some features of the Port Reporter Parser tool:
PR-Parser helps to identify data that is “interesting” and/or “suspicious”:
- Identifies ports of interest that are used on the system.
- Identifies “suspicious” processes running on the system.
- Identifies “suspicious” modules (.dlls, .drvs, etc) loaded on the
system.- Identifies “interesting” user accounts that are active on the
system.- Helps to determine when IP addresses, fully qualified domain names (FQDNs),
or computer names of interest are found communicating with the system.- Attempts to identify when a process using the name of a legitimate
process is run from the wrong directory on a system.PR-Parser provides some log analysis data as well. This data can help
profile the system and/or how users use the system. This data includes:
- Local TCP port usage - % of time a TCP port is used
- Local process usage – what % of time each process is used
- Remote IP address usage – how often the local system communicates
with each remote host- User context usage – how often each user account is used to start
local processes- Port usage by hour of the day – helps identify peek usage times for
a Windows system- Svchost.exe enumeration – see all the services hosted by every
instance of svchost.exe running on a system- Internet Explorer usage by user – see all the sites or firewalls
that every user visits via Internet Explorer
Tim mentioned that there's a readme.doc file that's included with the Porter Reporter Parser utility that really explains how to use that utility in depth. I've been looking through it today and it's definitely worth reviewing as you start using these tools.