Well, it’s been almost a month since the PoshSec Framework was announced, and I’ve been working on integrating some ideas into it. I’ve finally got something up which I’m pretty happy with.
It’s an IIS log monitor in Powershell.
The monitor function itself runs within the PoshSec Framework, leveraging the built-in alerts. When you execute Start-SecIISMonitor you can specify an IP address and a filter to isolate which http events you want alerts on. Here’s a simple example where I am isolating a hit on any .PNG files (I’d do something more interesting if my test IIS server had anything beyond the Microsoft default page on it)
The tab at the bottom showing “Active Scripts(1)” shows that the monitor is still running. It has a configurable polling frequency so that it periodically checks the latest records of the log file for anything new that matches the given parameters.
At this point it just generates alerts, but future iterations on this can add functions that automatically adjust firewall settings due to certain traffic patterns. For example, one idea I had was to create a fake page, like a honeypot. The IIS monitor function can detect any hits to that page, then blacklist the visiting IP address.
Behind the monitoring function, there is another function which can also be utilized in new ways. The Get-SecIISLog function parses an IIS log file, and outputs an object. Each piece of the http record is separately addressable through PowerShell, so a forensics investigation could isolate certain IP addresses, URLS, user agent strings, or any combination of attributes. And, since it outputs into the pipeline, those investigations could have the output formatted and sorted for a final report.
I’m glad to be a part of this project, and look forward to what we can achieve with it.