Analyze your scan log files

18 06 2007

As IT security pros we often scan many different networks and use different commands to perform the job. At the end we have dozen of log files which we need to analyze.

Couple days I installed a nice tool developed by Microsoft called LogParser. It has some neat features for queering different data sources.

I played with it and came up with some nice command lines.

a) Put all your logs into C:\Scans\ directory and make sure they all have the same extension e.g. .log or .txt
b) Go to CMD and paste the following command line

C:\Tools\LogParser2.2>LogParser.exe -i:textline “select text from C:\Scans\*.log where text like ‘%VUL%’” -o:CSV

What this commandline will do is query all files with .log extension in C:\Scans with all hosts which are vulnerable (this is for our VNC_Auth scans) and print the output in CSV format. You can change the where text like statement to any string you are looking for.

Output:

Text
10.202.1.8 :5900 vnc4:VULNERABLE
10.202.2.7 :5900 vnc4:VULNERABLE
Statistics:
———–
Elements processed: 6565
Elements output: 2
Execution time: 0.36 seconds

c) Select the first and second row from the command prompt and paste it into your post.

Example with Apache string.

C:\Tools\LogParser2.2>LogParser.exe -i:textline “select text from c:\scans\web.log where text like ‘%2.0.58%’” -o:CSV
Text

10.7.80.171:80 Server: Apache/2.0.58 (Unix) mod_ssl/2.0.58 OpenSSL/0.9.8a DAV/2 PHP/5.1.6
10.7.80.172:80 Server: Apache/2.0.58 (Unix) mod_ssl/2.0.58 OpenSSL/0.9.8a DAV/2 PHP/5.1.6

Statistics:
———–
Elements processed: 638
Elements output: 2
Execution time: 0.07 seconds

Example with imap 143 scan

C:\Tools\LogParser2.2>LogParser.exe -i:textline “select text from c:\scans\ban.log where text like ‘%Imail%’” -o:CSV

10.20.121.73:143 * OK IMAP4 Server (IMail 9.04)
10.20.121.74:143 * OK IMAP4 Server (IMail 9.04)

Statistics:
———–
Elements processed: 7390
Elements output: 2
Execution time: 0.66 seconds

In both examples I only used web.log and ban.log text files. The power of this tool is that you can use different sql statements on all your scan logfiles. Search complete directories for specific host banners/ports which are vulnerable now. Hosts go up and down but the log files can be used for months after a scan has been completed.

Before I used this tool I did my analysis only with one file in a excel spread sheet and filter that; I used many times the grep linux feature but from now I never want to miss this great tool.

To download the tool go to http://www.microsoft.com/technet/scriptcenter/tools/logparser

« SMS Report - Delete Computer Object XML Report of Windows EventViewer Security EventID 529 »


Actions

Informations

One response to “Analyze your scan log files”

18 06 2007
JoeD (22:51:12) :

Hi Ivan1980, nice post and very handy ;-)

Leave a comment

You can use these tags : <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>