Hi all,
just want to tell all of you who are licenced TDS-operators that "screx", my suite of ss3 scripts for TDS now includes a module to watch LnS logs. You can specify which file should be watched and will be alerted by TDS when "suspicious" lines show up in there. Alerts will be in TDS console and/or speech and/or MS Agents.

It has several "threat levels" and "Suspiciousness" is being defined by a couple of properties (e.g. whether or not the string "RAT:" shows up in TDS's port-service database for the involved ports). Also, if your rulenames have a '-' or a '+' left of their ':' to indicate blocked/allowed status of the event, the parser will be able to understand this. (I name my rules like "TCP-O: Service", "UDP+B: Service", "TCP-I: Service" etc. - where I/O/B stands for In/Out/Both.)

The only problem is that LnS does its own logrotation, so that you will have to specify a new file to watch every day...

Have fun, and I'd appreciate any feedback at A.Wagner<at>stud.uni-frankfurt.de
Cheers,
Andreas


Aaah, i almost forgot the url:
http://www.commontology.de/pub/tds/screx/screx02beta3.zip

Some more information about screx can be found in the (also included in the zipfile) readme:
http://www.commontology.de/pub/tds/screx/screadme.txt

...I can hear you asking: What are the advantages of this logwatching over LnS's own logging/alerting?

Not easy to answer, here are a few thoughts:

A first assessment of how suspicious the communication in question is.
A more extensive port-to-service database tuned for security needs is used to assess threat of a log entry and to inform you about the communication.
Speech/Agents.
Finally, you have all the relevant stuff at hand in one - TDS - environment. Involved IP's/ports, tracert, ping, TCP Port inspector, irc (that's in screx, too), ...


Cheers,
Andreas

Sounds handy Andreas, I will give it a try soon since I am now using LNS :)
-Jason-

Hi Andreas,

New to using TDS and L&S.

Please be patient with my illiteracy but... downloaded the script and and ran ParseLnS.ss3. Got the following below:

23:05:59 [Script Error] ERR: Expected 'End' (LINE: 1 COL:21)
23:05:59 [Script Error] SRC: Sub ParseLog(LogLine)
23:05:59 [Script Error] ERR: Expected 'Next' (LINE: 1 COL:20)
23:05:59 [Script Error] SRC: For i = 1 to 16
23:05:59 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:9)
23:05:59 [Script Error] ERR: Unexpected 'Next' (LINE: 1 COL:5)
23:05:59 [Script Error] SRC: Next
23:05:59 [Script Error] ERR: Type mismatch: 'StripCRLF' (LINE: 1 COL:5)
23:05:59 [Script Error] ERR: Expected 'End' (LINE: 1 COL:56)
23:05:59 [Script Error] SRC: If Mid(LogLine, 18,1) = "," Then ' we have a raw log
23:05:59 [Script Error] ERR: Expected 'End' (LINE: 1 COL:32)
23:05:59 [Script Error] SRC: If Matches.Count > 0 Then
23:05:59 [Script Error] ERR: Invalid procedure call or argument (LINE: 1 COL:9)
23:05:59 [Script Error] ERR: Syntax error (LINE: 4 COL:7)
23:05:59 [Script Error] SRC: Else
23:06:00 [Script Error] ERR: Invalid 'exit' statement (LINE: 1 COL:14)
23:06:00 [Script Error] SRC: Exit Sub
23:06:00 [Script Error] ERR: Expected statement (LINE: 1 COL:7)
23:06:00 [Script Error] SRC: End If
23:06:00 [Script Error] ERR: Expected 'End' (LINE: 1 COL:32)
23:06:00 [Script Error] SRC: If Matches.Count > 0 Then
23:06:00 [Script Error] ERR: Invalid procedure call or argument (LINE: 1 COL:9)
23:06:00 [Script Error] ERR: Object required: 'Match' (LINE: 1 COL:9)
23:06:00 [Script Error] ERR: Expected statement (LINE: 1 COL:7)
23:06:00 [Script Error] SRC: Else
23:06:00 [Script Error] ERR: Invalid 'exit' statement (LINE: 1 COL:14)
23:06:00 [Script Error] SRC: Exit Sub
23:06:00 [Script Error] ERR: Expected statement (LINE: 1 COL:7)
23:06:00 [Script Error] SRC: End If
23:06:00 [Script Error] ERR: Expected 'End' (LINE: 1 COL:27)
23:06:00 [Script Error] SRC: If rawlog = False Then
23:06:00 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:8)
23:06:00 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:8)
23:06:00 [Script Error] ERR: Expected 'End' (LINE: 1 COL:28)
23:06:00 [Script Error] SRC: Select Case Field(6)
23:06:00 [Script Error] ERR: Expected statement (LINE: 1 COL:11)
23:06:00 [Script Error] SRC: Case "TCP"
23:06:01 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:13)
23:06:01 [Script Error] ERR: Expected statement (LINE: 1 COL:11)
23:06:01 [Script Error] SRC: Case "UDP"
23:06:01 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:13)
23:06:01 [Script Error] ERR: Expected statement (LINE: 1 COL:11)
23:06:01 [Script Error] SRC: Case "ICMP"
23:06:01 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:13)
23:06:01 [Script Error] ERR: Expected statement (LINE: 1 COL:8)
23:06:01 [Script Error] SRC: End Select
23:06:01 [Script Error] ERR: Expected 'End' (LINE: 1 COL:30)
23:06:01 [Script Error] SRC: If Field(2) = "D" Then
23:06:01 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:11)
23:06:01 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:11)
23:06:01 [Script Error] ERR: Expected statement (LINE: 1 COL:8)
23:06:01 [Script Error] SRC: ElseIf Field(2) = "U" Then
23:06:01 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:11)
23:06:01 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:11)
23:06:01 [Script Error] ERR: Expected statement (LINE: 1 COL:8)
23:06:01 [Script Error] SRC: End If
23:06:01 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:8)
23:06:01 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:8)
23:06:02 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:8)
23:06:02 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:8)
23:06:02 [Script Error] ERR: Expected statement (LINE: 1 COL:5)
23:06:02 [Script Error] SRC: End If
23:06:02 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:5)
23:06:02 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:5)
23:06:02 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:5)
23:06:02 [Script Error] ERR: Expected 'End' (LINE: 1 COL:56)
23:06:02 [Script Error] SRC: If Field(3) = "D" Then ' inbound packet
23:06:02 [Script Error] ERR: Expected 'End' (LINE: 1 COL:59)
23:06:02 [Script Error] SRC: If Field(6) = "0800" Then ' it's an IP packet
23:06:02 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:11)
23:06:02 [Script Error] ERR: Expected 'End' (LINE: 1 COL:62)
23:06:02 [Script Error] SRC: Select Case Field(10) ' What IP protocol is this?
23:06:02 [Script Error] ERR: Expected statement (LINE: 1 COL:13)
23:06:02 [Script Error] SRC: Case "6" ' TCP
23:06:02 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:15)
23:06:02 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:15)
23:06:02 [Script Error] ERR: Expected statement (LINE: 1 COL:13)
23:06:02 [Script Error] SRC: Case "17" ' UDP
23:06:03 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:15)
23:06:03 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:15)
23:06:03 [Script Error] ERR: Expected statement (LINE: 1 COL:13)
23:06:03 [Script Error] SRC: Case "1" ' ICMP
23:06:03 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:15)
23:06:03 [Script Error] ERR: Expected statement (LINE: 1 COL:13)
23:06:03 [Script Error] SRC: Case Else ' some other IP protocol
23:06:03 [Script Error] ERR: Expected 'End' (LINE: 1 COL:43)
23:06:03 [Script Error] SRC: If IsNumeric(Field(10)) Then
23:06:03 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:16)
23:06:03 [Script Error] ERR: Expected statement (LINE: 1 COL:15)
23:06:03 [Script Error] SRC: Else
23:06:03 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:16)
23:06:03 [Script Error] ERR: Expected statement (LINE: 1 COL:15)
23:06:03 [Script Error] SRC: End If
23:06:03 [Script Error] ERR: Expected statement (LINE: 1 COL:11)
23:06:03 [Script Error] SRC: End Select
23:06:03 [Script Error] ERR: Expected statement (LINE: 1 COL:8)
23:06:03 [Script Error] SRC: ElseIf Field(6) = "0806" Then ' it's an ARP packet
23:06:04 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:11)
23:06:04 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:11)
23:06:04 [Script Error] ERR: Expected statement (LINE: 1 COL:8)
23:06:04 [Script Error] SRC: Else
23:06:04 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:11)
23:06:04 [Script Error] ERR: Expected statement (LINE: 1 COL:8)
23:06:04 [Script Error] SRC: End If
23:06:04 [Script Error] ERR: Expected statement (LINE: 1 COL:5)
23:06:04 [Script Error] SRC: ElseIf Field(3) = "U" Then ' outbound packet
23:06:04 [Script Error] ERR: Expected 'End' (LINE: 1 COL:59)
23:06:04 [Script Error] SRC: If Field(6) = "0800" Then ' it's an IP packet
23:06:04 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:11)
23:06:04 [Script Error] ERR: Expected 'End' (LINE: 1 COL:62)
23:06:04 [Script Error] SRC: Select Case Field(10) ' What IP protocol is this?
23:06:04 [Script Error] ERR: Expected statement (LINE: 1 COL:13)
23:06:04 [Script Error] SRC: Case "6" ' TCP
23:06:04 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:15)
23:06:04 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:15)
23:06:04 [Script Error] ERR: Expected statement (LINE: 1 COL:13)
23:06:05 [Script Error] SRC: Case "17" ' UDP
23:06:05 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:15)
23:06:05 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:15)
23:06:05 [Script Error] ERR: Expected statement (LINE: 1 COL:13)
23:06:05 [Script Error] SRC: Case "1" ' ICMP
23:06:05 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:15)
23:06:05 [Script Error] ERR: Expected statement (LINE: 1 COL:13)
23:06:05 [Script Error] SRC: Case Else ' some other IP protocol
23:06:05 [Script Error] ERR: Expected 'End' (LINE: 1 COL:43)
23:06:05 [Script Error] SRC: If IsNumeric(Field(10)) Then
23:06:05 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:16)
23:06:05 [Script Error] ERR: Expected statement (LINE: 1 COL:15)
23:06:05 [Script Error] SRC: Else
23:06:05 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:16)
23:06:05 [Script Error] ERR: Expected statement (LINE: 1 COL:15)
23:06:05 [Script Error] SRC: End If
23:06:05 [Script Error] ERR: Expected statement (LINE: 1 COL:11)
23:06:06 [Script Error] SRC: End Select
23:06:06 [Script Error] ERR: Expected statement (LINE: 1 COL:8)
23:06:06 [Script Error] SRC: ElseIf Field(6) = "0806" Then ' it's an ARP packet
23:06:06 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:11)
23:06:06 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:11)
23:06:06 [Script Error] ERR: Expected statement (LINE: 1 COL:8)
23:06:06 [Script Error] SRC: Else
23:06:06 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:11)
23:06:06 [Script Error] ERR: Expected statement (LINE: 1 COL:8)
23:06:06 [Script Error] SRC: End If
23:06:06 [Script Error] ERR: Expected statement (LINE: 1 COL:5)
23:06:06 [Script Error] SRC: End If
23:06:06 [Script Error] ERR: Expected 'End' (LINE: 1 COL:83)
23:06:06 [Script Error] SRC: If InStr(1, Left(CStr(RuleName), InStr(1, CStr(RuleName), ":")), "-") > 0 Then
23:06:06 [Script Error] ERR: Expected statement (LINE: 1 COL:5)
23:06:06 [Script Error] SRC: ElseIf InStr(1, Left(CStr(RuleName), InStr(1, CStr(RuleName), ":")), "+") > 0 Then
23:06:06 [Script Error] ERR: Expected statement (LINE: 1 COL:5)
23:06:06 [Script Error] SRC: End If
23:06:07 [Script Error] ERR: Expected 'End' (LINE: 1 COL:39)
23:06:07 [Script Error] SRC: If Left(RuleName,5) = "APP: " Then
23:06:07 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:8)
23:06:07 [Script Error] ERR: Expected 'End' (LINE: 1 COL:67)
23:06:07 [Script Error] SRC: Select Case Mid(RuleName, 6, 5) ' Blocked or permitted?
23:06:07 [Script Error] ERR: Expected statement (LINE: 1 COL:10)
23:06:07 [Script Error] SRC: Case "Asked"
23:06:07 [Script Error] ERR: Expected statement (LINE: 1 COL:10)
23:06:07 [Script Error] SRC: Case "Block"
23:06:07 [Script Error] ERR: Expected statement (LINE: 1 COL:10)
23:06:07 [Script Error] SRC: Case "Allow"
23:06:07 [Script Error] ERR: Expected statement (LINE: 1 COL:8)
23:06:07 [Script Error] SRC: End Select
23:06:07 [Script Error] ERR: Expected statement (LINE: 1 COL:5)
23:06:07 [Script Error] SRC: End If
23:06:07 [Script Error] ERR: Type mismatch: 'AusgabeLogMon' (LINE: 1 COL:5)
23:06:07 [Script Error] ERR: Expected statement (LINE: 1 COL:0)

I realise in my ignorance i may have done something wrong in the process but there is not too much 'clarity' here as to whether someone has indeed 'attacked' today or 'not' in todays L&S log

Please advice and many thanks
P

@ Jason
Hi, nice to see you here. LnS is really a great fw - and will be much more so when the (announced) new version comes out. :D
(If it only wouldn't include the current date in the logfile's filename - which makes it a bit more difficult to find. One day, i'll do it programmatically, but right now, relying on the user configuring the path to the to-be-watched logfile means requiring him/her to reconfigure daily ::).)

@ Plavi
Hi Plavi,
thanks for giving it a try - and for your feedback.
I'd like to mention just a few general things over here and if problems persist, I would suggest (but you decide) discussing the script further at the dedicated ss3 forum (which is hosted over at DCS's private forums: http://diamondcs.com.au/forum/forumdisplay.php?s=&forumid=3 (I assume you're a registered tds customer - else you wouldn't have been able to run a script as large as screx at all))

1. You have to load "loadme.ss3", not "parselns.ss3"...
(It can load all of screx's modules, but you can configure which modules should be loaded and which shouldn't - for saving resources, e.g. Thus, you can configure to use only the logmon part with LnS parsing and on reload you should be there...)
2. You have to "load" the script in TDS (and not "run" it)...
(Actually, there is a description of how screx can set up itself and how to launch it in the readme file - screadme.txt (http://www.commontology.de/pub/tds/screx/screadme.txt))
3. Do you have the latest version of Windows Scripting Host for your OS installed?
(English - 2k/XP (http://www.microsoft.com/downloads/details.aspx?familyid=c717d943-7e4b-4622-86eb-95a22b832caa&languageid=f49e8428-7071-4979-8a67-3cffcb0c2524&displaylang=en); English - 98/ME/NT (http://www.microsoft.com/downloads/details.aspx?FamilyID=0a8a18f6-249c-4a72-bfcf-fc6af26dc390&DisplayLang=en))

Hope this helps,
Andreas

{QUOTE-> quoting: Jason / DiamondCS link=board=13;threadid=10602;start=0#msg71439 date=1057224698]
Sounds handy Andreas, I will give it a try soon since I am now using LNS :)
-Jason-

<-QUOTE}
Why do i find this to be a smart move ? :D

Hi Andreas,

Thanks for the advice and guidance. Am TDS registered so will visit there, download window's Scripting Host and do some homework. I find the scripts facinating and realize the how powerful both tools are (in addition to being easy to use) but the learning curve is slow. Cheers for the patience.

P