Port Reporter Parser v1.0

If you use the PortReporter (download, KB article), there is a nice log parser for it. Go ahead and snatch a copy of Port Reporter Parser while it's hot.

Here's straight from the horse's mouth a short list of what the tool is capable of:

The Port Reporter Parser (PR-Parser) is a tool that parses the logs that the Port Reporter service generates.  I have built some features into this parser to help identify Trojans/malware running on Windows systems and to provide some useful statistics on a system’s usage. 

PR-Parser helps to identify data that is “interesting” and/or “suspicious”:

  • Identifies ports of interest that are used on the system.
  • Identifies “suspicious” processes running on the system.
  • Identifies “suspicious” modules (.dlls, .drvs, etc) loaded on the system.
  • Identifies “interesting” user accounts that are active on the system.
  • Helps to determine when IP addresses, fully qualified domain names (FQDNs), or computer names of interest are found communicating with the system.
  • Attempts to identify when a process using the name of a legitimate process is run from the wrong directory on a system.

PR-Parser provides some log analysis data as well.  This data can help profile the system and/or how users use the system.  This data includes:

  • Local TCP port usage - % of time a TCP port is used
  • Local process usage – what % of time each process is used
  • Remote IP address usage – how often the local system communicates with each remote host
  • User context usage – how often each user account is used to start local processes
  • Port usage by hour of the day – helps identify peek usage times for a Windows system
  • Svchost.exe enumeration – see all the services hosted by every instance of svchost.exe running on a system
  • Internet Explorer usage by user – see all the sites or firewalls that every user visits via Internet Explorer

There's lot more than the list above to make it even more useful. The download includes Readme file with more information about the tool capabilities.

Update: Added link to Tim Rains blog. Tim is the guy that came up with Port Reporter and Port Reporter Parser. He is also a Technical Lead on the Microsoft Product Support Services Incident Response team.

Add a Comment