Networknet.nl Blog
Stay Connected
Analyze your scan log files
As IT security pros we often scan many different networks and use different commands to perform the job. At the end we have dozen of log files which we need to analyze.
Couple days I installed a nice tool developed by Microsoft called LogParser. It has some neat features for queering different data sources.
I played with it and came up with some nice command lines.
Put all your logs into C:\Scans\ directory and make sure they all have the same extension e.g. .log or .txt Go to CMD and paste the following command line C:\Tools\LogParser2.2>LogParser.exe -i:textline "select text from C:\Scans\*.log where text like '%VUL%'" -o:CSV
What this commandline will do is query all files with .log extension in C:\Scans with all hosts which are vulnerable (this is for our VNC_Auth scans) and print the output in CSV format. You can change the where text like statement to any string you are looking for.
Output:
10.202.1.8 :5900 vnc4:VULNERABLE 10.202.2.7 :5900 vnc4:VULNERABLE Statistics: ----------- Elements processed: 6565 Elements output: 2 Execution time: 0.36 seconds
c) Select the first and second row from the command prompt and paste it into your post.
Example with Apache string.
C:\Tools\LogParser2.2>LogParser.exe -i:textline "select text from c:\scans\web.log where text like '%2.0.58%'" -o:CSV
Output:
10.7.80.171:80 Server: Apache/2.0.58 (Unix) mod_ssl/2.0.58 OpenSSL/0.9.8a DAV/2 PHP/5.1.6 10.7.80.172:80 Server: Apache/2.0.58 (Unix) mod_ssl/2.0.58 OpenSSL/0.9.8a DAV/2 PHP/5.1.6 Statistics: ----------- Elements processed: 638 Elements output: 2 Execution time: 0.07 seconds
Example with imap 143 scan
C:\Tools\LogParser2.2>LogParser.exe -i:textline "select text from c:\scans\ban.log where text like '%Imail%'" -o:CSV
Output:
10.20.121.73:143 * OK IMAP4 Server (IMail 9.04) 10.20.121.74:143 * OK IMAP4 Server (IMail 9.04)</code> Statistics: ----------- Elements processed: 7390 Elements output: 2 Execution time: 0.66 seconds
In both examples I only used web.log and ban.log text files. The power of this tool is that you can use different sql statements on all your scan logfiles. Search complete directories for specific host banners/ports which are vulnerable now. Hosts go up and down but the log files can be used for months after a scan has been completed.
Before I used this tool I did my analysis only with one file in a excel spread sheet and filter that; I used many times the grep linux feature but from now I never want to miss this great tool.
To download the tool go to http://www.microsoft.com/technet/scriptcenter/tools/logparser
June 18, 2007 - 10:51 pm
Hi Ivan1980, nice post and very handy