Filtering with Wireshark and parsing logs with Log Parse Lizard

Recently one of my clients had one of their servers attacked.  The intrusion detection caught it, and I believe a lot of the malicious stuff they were trying were correctly filtered out by asp.net as dangerous requests, but in order to understand more about what was/is going on, I worked with 2 tools to help look at the situation a little deeper.

First, I wanted to look at the live requests coming to the server and see the payloads they contained.  To do this, I installed WireShark on the server, and started to capture traffic.

Wireshark as 2 types of filters: capture filters and display filters.  From the capture side of things, you can really cut down on the noise if you filter out the stuff you don’t care about.  So I used a capture filter of tcp port 80 or tcp port 443

image 

Then, while the capture is running you can type in a display filter so that you can tell if you are getting the specific type of request you are interested in during the current trace.  In this case, I was only interested in http POSTs, so I could use this filter http.request.method == “POST”

image

This way you can let the trace run until you see records start to come through that match both filters.

The other thing I wanted to do was to look at log files to see how the traffic to the site changed over time.  To do this I installed MS Log Parser and the Log Parser Lizard.  With these two tools it allows for a nice UI and SQL queries against the data.  As you can see below, the requests/attacks started at 5:52.

image

Connecting to FTP behind Windows Firewall and Passive Connections

Even though I opened up the correct port in the Firewall, my Filezilla connection would always fail shortly after connecting.

It would attempt to enter passive mode, and also get a list of the FTP contents, and then the connection would die.

Turns out that by default, the FTP client (filezilla and maybe many others) enter a “Passive” mode when not actively transfering files.  However, to do this the client needs to connect to a random port assigned by the server, which for windows FTP server is between 1024 and 5000.

Now, if you don’t want to open up all those ports in your FW, then you can use the instructions here to change the PassivePortRange in the Metabase.xml file.

http://www.winservermart.com/HowTo/IIS_Passive_FTP.aspx

Worked prefect for me.

How to setup port forwarding on the CISCO ASDM 5.2

Go to configuration – > security policy

Add Access Rule

Interface: outside

Action: permit

Source: any

Destination: type in the public IP address, aka the outside interface IP address

Service: “tcp/PORT_NUMBER_HERE”

Click OK (maybe 2 times)

 

Click Apply

 

 

Then click on NAT on the left

Click on Add Static Nat rule

Under “Original”

Interface: Inside

Source: Internal ip address that you want traffic routed to

Under Translated

Interface: outside

Click the radio button that says “Use Interface IP Address”

Check the “Enable PAT” check box

TCP and set both ports to be what you want (i.e. 3389 for RDP)

This NAT part always seems backwards to me, but it works.

multiple connections to a server or shared resource

From time to time I get this stupid error when connecting to a machine:

multiple connections to a server or shared resource by the same user are not allowed

I finally found the solution.  Just open up a command prompt and run:

net use * /delete

It will ask you if you want to delete all your open connections, say yes, and then try to reconnect using the credentials you want. 

Success!

Computer Browser service starts and then stops

I was having problems locating a machine by name on my local network. 

After some poking around I noticed that the computer browser service on the machine was not running, and when I tried to start it it would immediately stop.  Searching the event log showed that it wasn’t even throwing an error… just stopping.

After a lot of poking around I found that if I enabled File and Print Sharing in my firewall rules that the service would keep running, and now I can look up the machine by name on my local network without problem.

Windows 2008 R2 Upgrade Hanging at 62

I was in server hell this weekend, as I was trying to upgrade a machine from 2008 to 2008 R2.

I had more problems than I could even write on this page, but most were unrelated to the actual upgrade itself.

The one thing I wanted to put here was regarding the fact that the update seemed to hang at 62% in the final step.

At one point I walked away and came back like an hour later to find it still at 62%.  I swore a bunch of times and left the computer running while I went back to my laptop to try researching the issue.

I found that there is a known issue in Windows 7 upgrade that causes it to lockup at 62%.  I figured I had something like that happening to me, but thankfully I didn’t pull the plug too early because sometime during the next 30 min or so, it moved to 63%, and soon it was done.

So, if you are upgrading to R2 and you are stuck at 62%, or 63% (63% took a long time too), don’t pull the plug.  Let it sit for another hour. 

PIX ArrayIndexOutofBoundsException

So today I went to make some firewall updates for a client and the Cisco PDM wouldn’t launch from the browser.

After some troubleshooting, I found that the Java VM was indicating an ArrayIndexOutofBoundsException had occurred.

After some checking around I confirmed my suspicion: Java sucks.  Just kidding, well not really, but what I really confirmed was that the PDM wouldn’t work with any new version of Sun Java.  I guess I’m spoiled with .Net being backward compatible. 

Some suggested installing an old version of Java
http://java.sun.com/products/archive/j2se/1.4.2_03/index.html

But lucky for me I was able to just install Java 6 Update 15 and Java 6 Update 7 from Add/Remove programs and everything started working again.

It’s totally true when people accuse MS of copying Java with the .NET framework, but they sure didn’t make it suck like Java.

UPDATE: The version of Java that is working for me is Java 6 Update 6.  You can download it here:
http://java.sun.com/products/archive/j2se/6u6/index.html