I want to know how can i select 3 or 4 subjects from too many outputs of these OS monitoring tools(like event viewer) and then i want to correlate their informations
I want to know how can i select 3 or 4 subjects from too many outputs of these OS monitoring tools(like event viewer) and then i want to correlate their informations
Your question is too vague. Maybe if you give some kind of example...
Right now I'm feeling tempted to answer you do it by reading the output with your eyes.
Originally Posted by brewbuck:
Reimplementing a large system in another language to get a 25% performance boost is nonsense. It would be cheaper to just get a computer which is 25% faster.
rellay ,i want to know how can i detect some kind of attacks from an event log?
for example i want to know can we detect or issue warning about a buffer over flow from inspecting a event logs(event viewer log)?
Last edited by smahdi1991; 12-07-2014 at 02:11 PM.
The Application Log will not help you much. Exploits involving buffer overflows take advantage of applications which haven't been compiled with some sort of bounds checking protection flag. Other exploits attach themselves to the executable and will handle any possible exception stopping the application from crashing (someone else can confirm this is correct?). Both situations will not register in the Application Log because there was no crash.
The Security Log on the other hand may help in detecting strange connections, but you must be using the Windows Firewall or a firewall that writes to the windows event manager. But you will also need a good understanding of the Windows Firewall rules currently in place -- and if you ever opened Windows Firewall With Advanced Security, you'll know how near impossible that is. Knowing your rules, allow you to look at the audits and spot dubious connections. But this is just a dirty approach and time consuming approach that is more likely to yield poor results. And it will definitely not detect application-based exploits.
All in all, protection is a far better approach than auditing. The first avoids the problem, the latter informs you there was a problem. So a good firewall (I personally use Windows Firewall with TinyWall for sane management), safe surfing habits, a good anti-virus, a malware aware web browser, and a sandbox for those moments when you really aren't sure (I use sandboxie, but you can also use a virtual machine with snapshot capabilities) will not only stop any kind of security issues on a traditional non-server computer, but give you also enough information on the level of your security.
On machines running servers, you'll need good server administration skills (know your servers and their configuration files best practices), check their logs instead of the event viewer since servers are usually rich in logging data and you need to further tighten your security by avoiding exposing that machine to the internet, or, if you must, not use it also as your client machine (the one you use to browse the web, play games and download pron).
Originally Posted by brewbuck:
Reimplementing a large system in another language to get a 25% performance boost is nonsense. It would be cheaper to just get a computer which is 25% faster.
FYI: I just installed TinyWall for Windows Firewall and one of the things that took time was getting Git to work, again.
I had to add this exe to Application Exception list.
git-remote-https.exe in the folder "C:\Program Files\Git\libexec\git-core".
And, before that I added the three suggested on the internet of
git.exe
sh.exe
ssh.exe
All in the folder "C:\Program Files\Git\bin"
Tim S.
"...a computer is a stupid machine with the ability to do incredibly smart things, while computer programmers are smart people with the ability to do incredibly stupid things. They are,in short, a perfect match.." Bill Bryson
You can use the Learn Mode as described TinyWall help file. That will do it. But for added security I prefer to add my rules manually. What I do is to open the TinyWall Connections window and check at the bottom only the blocked applications. I then fire the application, or use the application feature I want (on those multi-executable applications, as is the case with git), after which I refresh the Connections windows. I get a list of the blocked apps, right click on them and unblock them. If I then want to fine tune the rule, I just go to the Tiny Wall Manage screen.
As for the Learn Mode keep in mind that in client-server combinations TinyWall won't whitelist servers or applications listening to incoming requests, no matter what. This is behavior by design. Incoming rules always need to be added manually on the TinyWall manage screen.
Originally Posted by brewbuck:
Reimplementing a large system in another language to get a 25% performance boost is nonsense. It would be cheaper to just get a computer which is 25% faster.
Yeah, I am using learn mode to find the exe that needs port opened.
Update on what seems to work for me.
Found the ports on a Google search.
ssh:// - default port 22
git:// - default port 9418
http:// - default port 80
https:// - default port 443
Firewall settings on Git apps in folder libexec\git-core\
git-remote-http.exe TCP out ports 80,443
git-remote-https.exe TCP out ports 80,443
git.exe TCP out port 9418
I do NOT use "ssh://" for any of my Git work; so, I have no idea what exe is needed to set that port.
No idea why git-remote-http.exe needed both 80 & 443; decided to also do both on git-remote-https.exe.
Tim S.
Last edited by stahta01; 12-09-2014 at 07:37 PM.
"...a computer is a stupid machine with the ability to do incredibly smart things, while computer programmers are smart people with the ability to do incredibly stupid things. They are,in short, a perfect match.." Bill Bryson
