我们想与我们的产品一起分发防火墙程序。
我可以配置 Windows 防火墙来阻止传出连接(默认情况下它不会这样做)
netsh advfirewall set allprofiles firewallpolicy blockinbound,blockoutbound
但是我需要知道什么时候被阻止,以便它可以询问是否应该解除阻止。
我尝试打开日志记录,但它没有记录 exe 的路径。有没有办法记录它?
我已经发布在 StackOverflow 上提问以尝试事件检测方法,但如果有办法打开 exe 路径的日志记录,我想知道。我希望继续使用 Java,因为它在事件检测方面有限制。
我不介意调用任何命令行程序,也不介意使用 vbscript。但我需要的是尽快知道传出连接exe 被阻止,并且哪个 exe。
答案1
p0rkjello 回答正确,但遗漏了关键内容,经过几个小时的努力,我找到了解决方案。
- 以管理员权限打开CMD,粘贴命令
auditpol /set /subcategory:"{0CCE9226-69AE-11D9-BED3-505054503030}" /success:disable /failure:enable - 打开
event viewer并前往Windows logs > Security - 从右侧面板选择
Filter log > Keywords > Select "Audit failure"
这里可以找到的信息包括应用程序名称、目标 IP、连接方向等
编辑:2020 年 4 月 9 日
我找到了一种更简单的方法,使用下面的 PowerShell 命令检查事件日志
Get-EventLog security -newest 10 -InstanceId 5157 -Message *Destination* | Select @{Name="message";Expression={ $_.ReplacementStrings[1] }}
- 代替最新 10您要搜索的条目数
- 选择@{Name="message";Expression={ $_.ReplacementStrings[1] }}提取应用程序名称。
答案2
我相信这就是你正在寻找的:应用程序日志记录
一旦配置完成,它将被记录在系统日志中,并且应用程序名称将被列出。
答案3
正如链接所指出的,正确的来源是 Windows 过滤平台的审计事件。我们可以使用以下 cmd 脚本输出所需的数据:
@echo off
for /f "tokens=2 delims==" %%s in ('wmic os get LocalDateTime /value') do set datetime=%%s
auditpol /set /subcategory:{0CCE9225-69AE-11D9-BED3-505054503030} /failure:enable > nul
pause
wmic ntevent where "LogFile='security' AND EventCode = 5152 AND TimeGenerated > '%datetime%'" get InsertionStrings
auditpol /set /subcategory:{0CCE9225-69AE-11D9-BED3-505054503030} /failure:disable > nul
“{0CCE9225-69AE-11D9-BED3-505054503030}”是事件“过滤平台数据包丢弃”的 GUID,其代码为 5152。当时pause运行程序/程序感兴趣的操作,并在测试完成时恢复脚本。示例输出:
InsertionStrings
{"504", "\device\harddiskvolume2\windows\system32\svchost.exe", "%%14592", "10.0
.0.254", "67", "255.255.255.255", "68", "17", "89509", "%%14610", "44"}
{"3348", "\device\harddiskvolume2\another\program.exe", "%%14593", "10.0.0.1", "
52006", "123.123.123.123", "80", "6", "89523", "%%14611", "48"}
在 wmic 命令中使用get Message /value而不是get InsertionStrings,输出的信息更丰富,但也会更长:
Message=The Windows Filtering Platform has blocked a packet.
Application Information:
Process ID: 3128
Application Name: \device\harddiskvolume2\path\to\program.exe
Network Information:
Direction: Outbound
Source Address: 10.0.0.1
Source Port: 50099
Destination Address: 1.2.3.4
Destination Port: 80
Protocol: 6
Filter Information:
Filter Run-Time ID: 69203
Layer Name: Connect
Layer Run-Time ID: 48
这些只是安全日志的摘录,也可以在 GUI 中访问。
答案4
该vbscript将会枚举Windows防火墙规则设置:
' This VBScript file includes sample code that enumerates
' Windows Firewall rules using the Microsoft Windows Firewall APIs.
Option Explicit
Dim CurrentProfiles
Dim InterfaceArray
Dim LowerBound
Dim UpperBound
Dim iterate
Dim rule
' Profile Type
Const NET_FW_PROFILE2_DOMAIN = 1
Const NET_FW_PROFILE2_PRIVATE = 2
Const NET_FW_PROFILE2_PUBLIC = 4
' Protocol
Const NET_FW_IP_PROTOCOL_TCP = 6
Const NET_FW_IP_PROTOCOL_UDP = 17
Const NET_FW_IP_PROTOCOL_ICMPv4 = 1
Const NET_FW_IP_PROTOCOL_ICMPv6 = 58
' Direction
Const NET_FW_RULE_DIR_IN = 1
Const NET_FW_RULE_DIR_OUT = 2
' Action
Const NET_FW_ACTION_BLOCK = 0
Const NET_FW_ACTION_ALLOW = 1
' Create the FwPolicy2 object.
Dim fwPolicy2
Set fwPolicy2 = CreateObject("HNetCfg.FwPolicy2")
CurrentProfiles = fwPolicy2.CurrentProfileTypes
'// The returned 'CurrentProfiles' bitmask can have more than 1 bit set if multiple profiles
'// are active or current at the same time
if ( CurrentProfiles AND NET_FW_PROFILE2_DOMAIN ) then
WScript.Echo("Domain Firewall Profile is active")
end if
if ( CurrentProfiles AND NET_FW_PROFILE2_PRIVATE ) then
WScript.Echo("Private Firewall Profile is active")
end if
if ( CurrentProfiles AND NET_FW_PROFILE2_PUBLIC ) then
WScript.Echo("Public Firewall Profile is active")
end if
' Get the Rules object
Dim RulesObject
Set RulesObject = fwPolicy2.Rules
' Print all the rules in currently active firewall profiles.
WScript.Echo("Rules:")
For Each rule In Rulesobject
if rule.Profiles And CurrentProfiles then
WScript.Echo(" Rule Name: " & rule.Name)
WScript.Echo(" ----------------------------------------------")
WScript.Echo(" Description: " & rule.Description)
WScript.Echo(" Application Name: " & rule.ApplicationName)
WScript.Echo(" Service Name: " & rule.ServiceName)
Select Case rule.Protocol
Case NET_FW_IP_PROTOCOL_TCP WScript.Echo(" IP Protocol: TCP.")
Case NET_FW_IP_PROTOCOL_UDP WScript.Echo(" IP Protocol: UDP.")
Case NET_FW_IP_PROTOCOL_ICMPv4 WScript.Echo(" IP Protocol: UDP.")
Case NET_FW_IP_PROTOCOL_ICMPv6 WScript.Echo(" IP Protocol: UDP.")
Case Else WScript.Echo(" IP Protocol: " & rule.Protocol)
End Select
if rule.Protocol = NET_FW_IP_PROTOCOL_TCP or rule.Protocol = NET_FW_IP_PROTOCOL_UDP then
WScript.Echo(" Local Ports: " & rule.LocalPorts)
WScript.Echo(" Remote Ports: " & rule.RemotePorts)
WScript.Echo(" LocalAddresses: " & rule.LocalAddresses)
WScript.Echo(" RemoteAddresses: " & rule.RemoteAddresses)
end if
if rule.Protocol = NET_FW_IP_PROTOCOL_ICMPv4 or rule.Protocol = NET_FW_IP_PROTOCOL_ICMPv6 then
WScript.Echo(" ICMP Type and Code: " & rule.IcmpTypesAndCodes)
end if
Select Case rule.Direction
Case NET_FW_RULE_DIR_IN WScript.Echo(" Direction: In")
Case NET_FW_RULE_DIR_OUT WScript.Echo(" Direction: Out")
End Select
WScript.Echo(" Enabled: " & rule.Enabled)
WScript.Echo(" Edge: " & rule.EdgeTraversal)
Select Case rule.Action
Case NET_FW_ACTION_ALLOW WScript.Echo(" Action: Allow")
Case NET_FW_ACTION_BLOCk WScript.Echo(" Action: Block")
End Select
WScript.Echo(" Grouping: " & rule.Grouping)
WScript.Echo(" Edge: " & rule.EdgeTraversal)
WScript.Echo(" Interface Types: " & rule.InterfaceTypes)
InterfaceArray = rule.Interfaces
if IsEmpty(InterfaceArray) then
WScript.Echo(" Interfaces: All")
else
LowerBound = LBound(InterfaceArray)
UpperBound = UBound(InterfaceArray)
WScript.Echo(" Interfaces: ")
for iterate = LowerBound To UpperBound
WScript.Echo(" " & InterfaceArray(iterate))
Next
end if
WScript.Echo("")
end if
Next
它来自这里,这应该会引导您走上正确的方向。