Tag Archives: Security

Windows Logging Service (WLS) 3.7.25 Now Available!

Leave a reply

What’s New!

  • ARP
    • Added IsRouter and IsUnreachable fields to IPv6 logs
  • FileMetadata
    • Added AccessControlFields, GetFileAttributes, GetMSIPLabels, GetOverlay, LogFileCerts, PDFProperties
  • FileTail
    • Added Depth and PathFilter parameters
    • Added Position and SID fields
    • Added performance monitoring
    • Now supports multiple %USERPROFILE% definitions
  • File Integrity Monitor (FIM)
    • Monitors defined paths for changes based on user defined metadata
  • FileMonitor
    • Added LogUser parameter
    • Added EventTriggers
  • FileTail
    • Added HistoryDays and HistoryRemoveEmptyDirectories parameters
  • Heartbeat
    • Added LogsError reporting
  • Logging
    • Add SIDFields parameter
  • LogRouting
    • Added ADHarvest as a way to define network location IP ranges
    • Added RELP protocol support
  • Logs
    • Added support for XPath event log query definitions
  • RegistryMonitor
    • Added SID resolution for HKEY_USER definitions
    • Added Enable parameter for hive subitems
  • SessionMonitor
    • Added GroupSIDs parameter – replaces PKINIT field
    • Added UserNameHint field
  • ServiceMonitor
    • Added Security field based on registry data

What’s Changed?

  • FileMetadata
    • ImpHash calculations now ignore empty function names
  • FileTail
    • Deprecated IncludeSubdirectories. See Depth.
    • Filter supports multiple values and regular expressions
  • LogRouting
    • Where possible, BufferedStream is now used
  • Logs
    • Event logs that are null when received are counted as errors
  • TaskMonitor
    • Added Task Trigger XML to log
  • WLS Records
    • All control characters are now sanitized from field names and values

Fixes!

  • ARP/DNS
    • Fixed updating interval when changed while running
  • Audio
    • Fixed being enabled when disabled if FullReportInterval was set
  • CommandMonitor
    • Added extra checks when scanning memory for history structures to prevent errors
  • FileMetadata
    • Fixed quoted path loop bug
  • FileTail
    • BufferSize set as expected
    • Ensure file position is set to 0 on creation
    • Improved file position tracking
    • Reading multiple %USERPROFILE% settings
    • Setting CharSize
  • LNK
    • Fixed string decoding
    • Updated Enums and reporting of unknown values
  • LogFormat
    • Fixed appending HMAC
  • RemoteConfiguration
    • Fixed requiring rules.xml when not needed
  • ServiceMonitor
    • Fixed reporting at Interval

If you’d like licensing or other information about WLS, send me a note via the contact form. WLS is currently available to US entities, but does require a signed license agreement.

Detecting malware with your proxy logs

Leave a reply

If you use a web proxy that has categorization built-in and you log the requests to your central log system, you can add another layer of detection by alerting on multiple requests for a known malicious destination from a single source. Even though malware can come from almost any site or email, the call “home” is often to a site that is reused. This detection method caught a few infections that were not detected by anti-virus in the last month.

For this example Splunk is used to search BlueCoat logs. We’ll look for categories that indicate malicious sites and count them by user, host, and referrer. The site categories and count thresholds should be tuned to fit your needs.

index=proxy host=bluecoat “Malicious Sources” OR “Malicious Outbound Data” OR “Botnets” | stats count by cs_username, cs_host, cs_Referrer | where count > 1 | table cs_username, cs_host, cs_Referrer, count

Most of the time the results are probably benign, but it should be easy to spot when it hits. These were all for the same user, also note the blank referrer.

proxy

Schedule this to run periodically and let your logs tell you when there’s a potential infection.