Windows netstat

raysonjoberts · ‎07-13-2021

Has anyone ever set up a script to monitor ESTABLISHED sessions for Windows using a netstat command?
I was looking to copy/modify the win_listening_ports.bat script that is part of the Splunk for Windows app but am not having much luck. I want to gather local address:local port and foreign address:foreign port, can anyone help?

BTW - I am aware of the WinNetMon inbound;outbound monitors that are part of the same Windows app. I don't want to capture all connections, rather see a snapshot at specified intervals, like once hourly.

Thanks in advance!

fabiyogo1

hi @raysonjoberts

I have the same needs as you, has your problem been resolved? if so can you give me the script

thank you

gcusello · ‎07-14-2021

Hi @raysonjoberts,

did you explored the possibility to use the perfmon://Network input in Splunk TA Windows?

Maybe can solve your need.

Otherwise you can create a script, containing the netstat command and, without saving output in a txt file, you can launch it by inputs.conf, so the script output will be automatically sent to Splunk.

Ciao.

Giuseppe

raysonjoberts · ‎07-14-2021

Thank you @gcusello

The perfmon for network monitor does not get the data I am looking for, I am really just looking for the outputs of a netstat -nao command for established connections.

As to the second part of your answer, I agree, a script would be what I am looking for here but I do not know how to script this and was wondering if anyone had already done it and could provide some direction. The script (win_listening_ports.bat) that is in the Windows app is 'close' to what I need but I don't know how to modify it to get what I want. I want to filter by ESTABLISHED, instead of LISTENING, but also, I want to see the local address and port as well as the foreign address and port. The listening ports script only looks for the local address and port and calls them dest_ip and dest_port, I don't know how to modify that script to also capture the foreign address/ports.

gcusello · ‎07-14-2021

Hi @raysonjoberts,

using a scipt is very easy in Splunk, you have to:

create a script (e.g. netstat.bat) containing thge command you want to execute with all the options, without redirtecting in a file (e.g. netstat -nao);
than you have to put this file in the bin folder of the TA to deploy;
than you have to define the following information to insert in the inputs.conf file:
- index: the index to store events,
- sourcetype: the sourcetype to parse the events,
- interval: the interval of script execution,
than you have to add in the inputs.conf of that TA the following stanza:
- [script://.\bin\netstat.bat]
- disabled = 0
- interval = 300
- sourcetype = win_netstat
- index = your_index
and deploy the TA to the Servers.

In this way you'll have the output of the netstat command in Splunk.

Ciao.

Giuseppe

raysonjoberts · ‎07-21-2021

Thank you @gcusello, I appreciate the response.

My question was whether or not anyone has made a script like this and if so, if they could share the script. I understand how to deploy it, I was just having a hard time getting the correct syntax in the script itself. Through some trial and error, I was able to figure out the syntax of the script so I am gathering the data I was looking for.

Thanks again!

gcusello · ‎07-21-2021

Hi @raysonjoberts,

I'm not an expert in scripting, but, for my knowledge, it should be sufficient to put the command with all the needed option in a text file and launch it from inputs.conf as I described.

Ciao.

Giuseppe

deastman · ‎07-13-2021

The easiest way to handle this is to create a scheduled task to run this once an hour. Then set a filemonitor on your forwarder that will read the file and ingest it into Splunk at some point after the scheduled task.

netstat -nao| FIND "ESTABLISHED" > myestablishedconn.txt

So for example, set the scheduled task with the above command to run every hour at the top of the hour, Then just to ensure to allow time for latency and such set the splunk configuration to monitor that file for ingestion. I'll let you decide how to handle the file, either delete it (if it exists at the begin of each run, by adding a del filename at the beginning of the scheduled task, otherwise ensure when you create the input that you salt the file).

Here is the page from documentation discussing file monitoring in greater detail.
https://docs.splunk.com/Documentation/Splunk/latest/Data/Monitorfilesanddirectories

I hope this helps! Happy Splunking!!

Dustin

raysonjoberts · ‎07-14-2021

Thanks for this, and I assume it would work. However, I am looking to gather this information on thousands of servers and may, at times, want to modify the intervals at which I gather this data on a server-by-server basis. In my mind, the best way to do this is through a script, similar to the listening ports script in the Splunk for Windows App, I just don't know how to modify that script to get what I want.

Windows netstat

configuration

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...