Article ID: 884289 - View products that this article applies to.
This article describes the usage of the Port Reporter Parser (PR-Parser) tool. This article describes the following topics that are related to the PR-Parser tool:
This article describes the usage of the Port Reporter Parser (PR-Parser) tool. PR-Parser is a tool that parses the logs that the Port Reporter service generates. The PR-Parser tool has many advanced features that can help you analyze the Port Reporter service log files. You can use the PR-Parser with the Port Reporter tool in a number of scenarios, including troubleshooting and security-related scenarios. This article focuses on how to use the PR-Parser tool in security-related scenarios.
To obtain the PR-Parser tool, visit the following Microsoft Web site:
Background informationWhen a Microsoft Windows-based computer becomes vulnerable, an attacker typically uses the resources of the Windows-based computer to inflict more damage or to attack other computers. This kind of attack typically involves activities such as starting one or more processes, or using TCP and UDP ports, or both. Unless an attacker hides this activity from the Windows-based computer itself, you can capture and identify this activity. Therefore, looking for indications of this kind of activity can help you determine whether a system is vulnerable.
The Port Reporter tool is a program that can run as a service on a computer that is running Microsoft Windows Server 2003, Microsoft Windows XP, or Microsoft Windows 2000. The Port Reporter service logs TCP and UDP port activity. On Windows Server 2003-based and Windows XP-based computers, the Port Reporter service can log the following information:
PR-Parser is a tool that parses the logs that the Port Reporter service generates. For additional information about the Port Reporter service, click the following article number to view the article in the Microsoft Knowledge Base:
837243The PR-Parser tool provides the following three basic functions:
(http://support.microsoft.com/kb/837243/ )Availability and description of the Port Reporter tool
Windows GUI to review the logsThe Port Reporter tool creates the following three log files when the tool runs:
The Windows GUI of the PR-Parser tool provides the following features:
Identifying suspicious data or data that you are interested inYou can use the PR-Parser tool to track several data points, including modules, IP addresses, ports, users, and host names. By using the PR-Parser tool, you can quickly determine whether any log entries in a Port Reporter log file match any criteria that the PR-Parser tool is configured to search for. You can configure these criteria in the GUI of the PR-Parser tool and then update it to include characteristics of new conditions that you choose.
To view, add, or delete criteria, click Criteria settings on the Edit menu.
The following are the six criteria that can be set in the PR-Parser tool to identify suspicious data or data that you are interested in.
Tracking known modulesTracking known modules lets you identify executable files that use the names of legitimate binary files and that run or are loaded from a wrong folder. For example, a popular name for malicious software is Svchost.exe. The legitimate Svchost.exe runs from the %windir%\System32 folder. When malicious software is named Svchost.exe and is copied to the %windir% folder, it can be difficult to see that this binary file is running from the wrong folder. If Svchost.exe is running from a folder other than the System32 folder, the computer may be vulnerable to attack. The PR-Parser tool identifies this kind of problem.
Note that, generally, some modules run from more than one location. You must review any PR-Parser warnings to determine whether the warning is a false positive or whether something irregular has been found. When you want to examine Port Reporter log files from different computers, you may have to override the local computer's folder settings because the computers may have different folder structures. For example, %systemroot% and %windir% point to different locations on different computers. In this case the PR-Parser tool may identify many files running in the wrong folder because the PR-Parser tool resolves these variables using the folder structure in the local computer where the PR-Parser tool is running. To compensate for this kind of difference between computers, you can override this behavior and set the PR-Parser tool to resolve these environmental variables. To do this, follow these steps:
ModulesThe PR-Parser tool can quickly determine whether the modules that you are interested in are found in the Port Reporter log files. To add modules to the list of modules that you are interested in, follow these steps:
When the PR-Parser tool finds a module in a log file that you are interested in, it displays the entry in red in the grid on the main form. For example, the Netcat.exe tool is a tool that administrators may or may not want users to use on their network. It can be identified in Port Reporter logs if the Netcat.exe tool is run by using its original name.
Double-click a line that is selected to see the details. A Port Reporter Parser - Log Entry Details dialog box opens and provides the details about the process, about the ports that are used, and about the modules that are loaded. The PR-Parser also provides a warning. On the Port Reporter Parser - Log Entry Details dialog box, if you right-click the process name, the PR-Parser tool provides options for researching the "interesting" or suspicious process.
Note You cannot see the details of a log entry on a Windows 2000-based computer.
IP addressesThe PR-Parser tool can identify IP addresses that you are interested in in Port Reporter log files. To specify the IP addresses, follow these steps:
After you add an IP address in the IP Addresses criteria and then apply the criteria, the specified IP address is displayed in the grid on the main form.
PortsNetwork administrators use firewall logs to determine which programs are running on their networks and which endpoints are used when the programs communicate. The PR-Parser tool can help you determine which ports are being used by a program and can quickly identify the ports that you are interested in. Many viruses, worms, malicious programs, and tools that are used by malicious users use the same ports every time they run. The PR-Parser tool can identify any ports that are listed in the ports criteria list.
To modify this list, follow these steps:
Note that legitimate programs may use the same ports that malicious programs use. You must investigate each warning that the PR-Parser tool generates to determine whether the warning is generated because of an operation that is not regular.
User accountsThe PR-Parser tool lets you identify user accounts that you are interested in in Port Reporter log files. To specify the user accounts, follow these steps:
After you add a user in the user accounts criteria, the specified user account is displayed in the grid on the main form.
Host namesThe PR-Parser tool tries to resolve remote IP addresses that are found in the logs to host names. The success of the resolution depends on factors such as correctly configured TCP/IP settings, DNS settings, an operational name resolution infrastructure, and IP addresses to name mappings. To reduce the number of queries that are sent to the network, the PR-Parser tool has a name cache and also uses the name caches of the client. To specify these names, follow these steps:
Applying the criteriaIf you want to specify the criteria for the log file that is opened, you can use the Apply Criteria option on the Tools menu. The PR-Parser tool parses the log file to search for entries that match the criteria. If a match is found, the PR-Parser tool displays the field that is matched. Details, such as loaded modules, are not listed in the grid on the main form. These details are only available when you view the record details.
When the PR-Parser tool finds that a module that you are interested in was loaded or that a module that uses a legitimate name was loaded from the wrong folder, the tool does not display this information in the main form grid. This is because the PR-Parser tool does not display the fields. To identify all rows that contain data that match the criteria, even in the details of an entry, you must filter the data. To do this, point to Filters on the Edit menu, and then click Show only rows with "interesting" data. This feature lets you determine whether any log entries match the criteria that you set. The resulting list that may be empty contains all the rows where data matches the criteria, including details such as modules. The Show only rows with "interesting" data option is unavailable until a criterion is applied to the data. After you click Apply Criteria on the Tools menu, the Show only rows with "interesting" data option is available.
Analyzing the logs and generating dataThe PR-Parser tool can also generate log analysis data that can be useful for computer administrators and network administrators. Seven sets of data are generated from the Port Reporter logs of Windows Server 2003-based or Windows XP-based computers. Because the Port Reporter tool does not perform port-to-process mapping on Windows 2000-based computers, some of these statistics cannot be generated from the logs from those computers. To analyze the logs and generate output, click Log analysis data on the Tools menu.
The following are the seven sets of data that are generated by the PR-Parser tool:
Local TCP port usageThis data set includes the number of times each TCP port has been logged by the Port Reporter tool. This kind of data can be helpful when you want to determine which ports will be opened between subnets or out to the Internet. This data gives you an idea of how frequently the ports are used by each computer. The data contains a Percentage of Total value against each entry. This value is calculated by dividing the number of times each port is used by the total number of times all the ports are used.
Process usageYou can use this data to analyze process usage on computers. For example, the programs that the computer uses, how frequently they are logged by the Port Reporter tool, and the programs that are most generally used. The data contains a Percentage of Total value for each entry. This value is calculated by dividing the number of times each process is logged by the total number of times all the processes are logged. This data is not available for Windows 2000-based computers.
Svchost.exe enumerationThe PR-Parser tool can identify all services that are hosted by the Svchost.exe process. This information is required to determine the programs that are running on a computer.
Remote IP address usageThis data set shows the IP addresses and may show the host names that the computer has been communicating with. The list is ranked so that you can see which computers communicate frequently.
You can right-click the grid and then select an option to resolve the IP addresses to their corresponding host names. The PR-Parser tool tries to resolve the names by using the network and DNS settings on the computer where the PR-Parser tool is running.
User context usageThis data set shows a ranked list of user accounts that were used in the Port Reporter log file. You can use this to determine which user accounts have been used on a computer. This data is not available for Windows 2000-based computers.
Port usage by hourThis data set provides a breakdown of port usage per hour over the time that the Port Reporter log file data was collected. You can use this data to understand the peak times for a computer and to understand whether ports are used at unexpected times.
Note By default, the Port Reporter collects data for 24 hours.
Iexplore.exe usageThis data set enumerates the endpoints that Microsoft Internet Explorer visited. This data is broken down on a user-by-user basis so that the usage of Internet Explorer for each user can be profiled. You can use this data to determine which sites users visited or which firewalls the computer used to access the Internet.
You can right-click the form to see related information. Each IP address that is listed can be resolved to a host name. Therefore, the corresponding name of each site or firewall can be identified.
You can also use the Portqry.exe utility to query the ports on the computers that are identified in this list. To save the log analysis data to a text file, click Savein the Log Analysis Data for log dialog box.
Article ID: 884289 - Last Review: November 1, 2006 - Revision: 1.2