How to automatically ban addresses from eventlog?

L

lokaha2021-03-09 15:17:48

PowerShell

lokaha, 2021-03-09 15:17:48

Good day everyone. Can you please tell me how to correctly extract arguments from the event log of the Windows log in PS? I noticed that they are breaking into the sql server to me. looks like this:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="MSSQLSERVER" /> 
  <EventID Qualifiers="49152">18456</EventID> 
  <Level>0</Level> 
  <Task>4</Task> 
  <Keywords>0x90000000000000</Keywords> 
  <TimeCreated SystemTime="2021-03-09T12:07:20.000000000Z" /> 
  <EventRecordID>5858623</EventRecordID> 
  <Channel>Application</Channel> 
  <Computer>user_or</Computer> 
  <Security /> 
  </System>
- <EventData>
  <Data>sa</Data> 
  <Data>Reason: Password did not match that for the login provided.</Data> 
  <Data>[CLIENT: 210.212.172.117]</Data> 
  <Binary>184800000E0000000800000055005300450052005F004F0052000000070000006D00610073007400650072000000</Binary> 
  </EventData>
  </Event>

According to those tasks, you cannot disable the user's sa. I want to auto ban addresses from the client field, but something seems to be wrong with my script. Tell me where to dig? Script below:

$Last_n_Hours = [DateTime]::Now.AddHours(-2)
$badRDPlogons = Get-EventLog -LogName 'Application' -after $Last_n_Hours -InstanceId 18456 | ?{$_.Message -match 'sa'} | Select-Object @{n='CLIENT';e={$_.ReplacementStrings[-2]} }
$getip = $badRDPlogons | group-object -property CLIENT | where {$_.Count -gt 5} | Select -property Name
$log = "C:\ps\blocked_ip.txt"
$current_ips = (Get-NetFirewallRule -DisplayName "BlockSQLBruteForce" | Get-NetFirewallAddressFilter ).RemoteAddress
foreach ($ip in $getip)
{
$current_ips += $ip.name
(Get-Date).ToString() + ' ' + $ip.name + ' IP заблокирован за ' + ($badRDPlogons | where {$_.CLIENT -eq $ip.name}).count + ' попыток за 2 часа'>> $log # запись события блокировки IP адреса в лог файл
}
Set-NetFirewallRule -DisplayName "BlockSQLBruteForce" -RemoteAddress $current_ips

I will be grateful for any help

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

M

Maxim Grishin, 2021-03-09
@vesper-bot

Where exactly is the joint? IP addresses are not recognized, or something else? What generally arrives in "message"? What's in the file, are the addresses correct? Did you check the state of $current_ips before and after handling the following events? Do new events fall into the log file? Digging into debugging, generally speaking, logging (write-host or write-output) everything and everything, collecting a log if you run the script through the task scheduler, think, edit the syntax, run it manually, that's all.

E

Eugene, 2021-03-09
@BeatHazard

Regarding your question, I recommend using the newer version of Get-WinEvent instead of the outdated Get-EventLog cmdlet, which displays information in a more convenient form.
The resulting logs can be passed through the XML conversion method and get convenient access to the parsed log. Here is an example:
$Compname = "PC01" #if you need to connect to a remote PC
$logs = Get-WinEvent -Computer $Compname #Next, either -FilterXML $XMLQuery (I prefer it) or
# -FilterHashTable with log selection conditions) + additionally you can filter Where-Object
$Foreach ($Log in $Logs) {
$event = [xml]$Log.ToXml() #Convert the log to XML and get a convenient parsed log #Get
access to the necessary data, in your case something like Togo:
$event.event.eventdata.data[2] #here see for yourself according to your log which field and line number to access and then work with the received data
}
PS When using the -FilterXml filter, data for filtering can be inserted from the filter of the Event Viewer snap-in after setting up the filter and switching it to XML mode
$XMLQuery = @'
Insert the data from the filter here
'@

D

Dmitry, 2021-03-12
@mexxy

I have been using cyberarms ids for a long time, for free.