34 replies to this topic

[ptrex]

Windows XP Firewall Log Analyser

This is my first project.

Thanks for all the support.
Suggestion are welcome.

- In order to use this application you need to have XP/SP2.
- You need to activate the firewall logging via :
Control Panel->Security Center->Windows Firewall->
Advanced->Select Security Logging->Settings->Log Dropped Packets

New Version 1.0 updated 11/08/2005, including new functions:
V1.0
- Added an IE object for the Whois function
(To use this function you will have to do a refresh first of the data ?!)
Then select an item by selectin an item in the 1st colomn of the listView
V0.9
- Show Open Ports & Applications Exceptions
- Hyperlink to Info on Internet
- Whois function (only works after a refresh ?!)


 Firewall_Log_Analyzer.au3   12.59KB   1353 downloads

 Firewall_Log_Analyzer_New.au3   13.36KB   1226 downloads Update working with the new syntax as of 3.2.9.10

Edited by ptrex, 15 March 2012 - 02:59 PM.

[MSLx Fanboy]

I was having a problem running it, but I didnt' enable Firewall Logging until just a few minutes ago (which I do know is not a very safe thing ) I'll try your script again later this afternoon, hopefully there should be quite a few "successful connections" (atleast I hope so!)

[ptrex]

@MSLx Fanboy

Thanks for the feedback.

When the logging was not turned on, did you get a message saying that there was no file found ?

I did not check the Error checking routines in the script, on my machine.

[MSLx Fanboy]

Yea, i think it suggested turning on the logging too.

[MSLx Fanboy]

Just ran it. Looks great! nothing is showing up in the Config tab however...

It just error'ed out on line 123

$avArray[1] = $string[2]
$avArray[1] = ^ ERROR

Error: Array variable has incorrect number of subscripts or subscript dimension range exceeded.

[ptrex]

@MSLx Fanboy

Thanks for the feedback

- There' s nothing in the Config yet. Because that's meant for future development.

-What the error is concering, looks strange to me. I have it running for days now and no errors.

How many lines dit you select ?
Did you use the Auto Refresh or the manual button ?

If I don't find it, I will have to wait until more user come up with the same error.

[ptrex]

New version 0.5 update

Added features:
- Check Firewall status
- Show Application exeptions
- Show Open ports
- Gui improvements
- Listview header Sort
- Whois (not yet finished)

More functions to add over time.

See the compiled version attached

Silly question,
How do you guys add a thumbnail picture to the post ?

[FuryCell]

Just looked at the PIC. That GUI looks really cool.
Can't Use app yet becuase my XP computer does not go online and does not have service pack 2. I think i know a lot of people who might find this useful though and I will tell them about it.
Nice Job!

[CyberSlug]

Logfile might be located somewhere other than C:\Windows\pfirewall.log

If file not found in default location (@WindowsDir & "\pfirewall.log"), you might want to prompt for file using FileOpenDialog.


(I wonder if there is a registry key that stores the firewall log file path?)

[ptrex]

@CyberSlug, SolidSnake

Thanks for the feedback.

What the locaton of the logfile is concerned, you must find it on that location because that where XP puts it on default (this is by design).

I checked it on XP home and professional edition.
The default settings in XP, is that the logging is not turned on.

So that needs to be set first, in order to start the logging !!

The last version I uploaded is not 100 % solid.
It does not show the status of the firewall correctly.
I noticed that this does not work if you work offline (not connected to the domain.

I corrected it, but I am out of the air for 2 weeks.

So I will upload a new version with in a week or 2.

For all of you enjoy the holidays !!!!

[busysignal]

New version 0.5 update

Added features:
- Check Firewall status
- Show Application exeptions
- Show Open ports
- Gui improvements
- Listview header Sort
- Whois (not yet finished)

More functions to add over time.

See the compiled version attached

Silly question,
How do you guys add a thumbnail picture to the post ?

<{POST_SNAPBACK}>

Was wanting to check out your new added code.. but it was not there just the {.EXE} only. Please add your updated code into the {.ZIP} or add it in the post..

Cheers..

[ptrex]

New Version 0.9 updated 05/08/2005,
including new functions:

- Show Open Ports improved by using WMI functions
- Applications Exceptions improved by using WMI functions
- Hyperlink to Info on Internet
- Whois function (only works after a refrech ?!)
- GUI improvements - add icons to ListView

New version 0.5 update 30/06/2005
Added features:
- Check Firewall status
- Show Application exeptions
- Show Open ports
- Gui improvements
- Listview header Sort
- Whois (not yet finished)

[hgeras]

I dont use the Windows Firewall so I cant use your program but it looks nice and well taken care of....But I studied your code a little and there are some unneded sections or better ways to do something... If you let me point you....

$avArray[0] = $string[1]
$avArray[1] = $string[2]
$avArray[2] = $string[3]
$avArray[3] = $string[4]
$avArray[4] = $string[5]
$avArray[5] = $string[6]
$avArray[6] = $string[7]
$avArray[7] = $string[8]
$avArray[8] = $string[9]
$avArray[9] = $string[10]
$avArray[10] = $string[11]
$avArray[11] = $string[12]
$avArray[12] = $string[13]

You use this code.... This could be done like this and save you some lines of code...

For $j=0 To 12
      $avArray [$j]=$string[$j+1]
next

Then, You use this inside the ReadLine() func:

For $ii = 1 To $line[0]
Next

The only thing this loop could give you is some ms of delay in your script....

But you should track down where the problem is regarding $refrech...Is it inside the ReadLine() or inside RipeWhoIs()? I cant use your program cos i have another firewall installed....The only way to do this is to put MsgBox's inside the functions and check your variables while the program executes....

I hope i dont get misunderstood about the code suggestions...I just want to be helpful cos sometimes when you have to deal with a bunch of code ,you might overlook some simple things....

[ptrex]

@hgeras

Thanks for the feedback.

1. I will take your suggestions in the code when releasing a new version.

2. Regarding debugging the problem, I already have a Msgbox in the function.
But this does not give me an answer to the problem, yet


So more feedback of user who test on there system is welcome.

[ptrex]

Version 1.0 released. See first post for snapshots, download and howto.

Plain Text        expandcollapse  popup

;--------------------------------------------
;FireWall Log Analyzer
;
;My first AutoIT project and first programming, with a little help of my friends (AutoIT Forum)
;PTRex started 29/06/05
;
;Completed: 
;# Lines Selection
;Auto Refresh
;Check status FW On or Off using WMI techniques
;Show Exception Apps & Open Ports
;Included hyperlink
;Drag&Drop columns + Sort columns header
;Check on Domain or Local Profile registry settings
;Include IE Object browser
;Include Whois function
;
;To Do :
;Correct bugs
;---------------------------------------------

;Includes
#include <GuiConstants.au3>
#include <Array.au3>
#include <GuiListView.au3>
#include <GuiTab.au3>
#NoTrayIcon


;Declare Vars
Dim $Font ="Arial Bold"
Dim $OS = @OSVersion
Dim $SP = @OSServicePack
Dim $aArray
Dim $avArray[14]
Dim $datacol
Dim $combo2Item
Dim $button_ON, $Label_ON, $Status
Dim $IP, $Line
Dim $DataListApps, $DataListPorts, $Browser, $HTTP
Dim $objFirewall, $objPolicy

;Main GUI
;---------
$Gui = GuiCreate("Firewall Log Analyser for XP v1.0", 968, 571,(@DesktopWidth-797)/2, (@DesktopHeight-571)/2 , _ 
$WS_OVERLAPPEDWINDOW + $WS_VISIBLE + $WS_CLIPSIBLINGS)

$Tab=GUICtrlCreateTab (8,30, 958,520)
GUICtrlSetResizing ($Tab,$GUI_DOCKAUTO)


;Tab1
$Tab1=GUICtrlCreateTabitem ("LogData")
$ListView = GUICtrlCreateListView("date|time|action| protocol| src-ip| dst-ip| _
src-port| dst-port| size| tcpflags|tcpsyn| tcpack| tcpwin| icmptype", 10, 60, 952, 474,-1,$LVS_EX_HEADERDRAGDROP);Drag&Drop Columns
GUICtrlSetResizing ($Listview,$GUI_DOCKAUTO)
GUICtrlSetState($ListView,$GUI_FOCUS)
GUICtrlSetImage ($ListView, "xpsp2res.dll",73)                  ;Set Icons for records
_GUICtrlListViewSetColumnWidth ($listview, 0,90)                ;Set Column with

$Tab1combo=GUICtrlCreateCombo ("# Lines", 10,8,60,40)
GUICtrlSetData(-1,"100|150|300|500|1000|2000|3000|4000", "100") ;Set default 100
GUICtrlCreateLabel("Select # of lines",80,12)

$Tab2combo=GUICtrlCreateCombo ("Auto Refresh  ", 200,8,100)
GUICtrlSetData(-1,"1|5|10|20|30")                               ;Set default none

$Refrech = GuiCtrlCreateButton("Refresh", 852, 10, 90, 30)

$Button_ON = GUICtrlCreateButton ("FW Status ", 380,5,40,40, $BS_ICON)
Status()                                                        ;Check status of FW & set Icon and Label

Label()                                                         ;Create Label with variable data

$Whois = GuiCtrlCreateButton("Whois", 650, 10, 90, 30)

;Tab2
$Tab2=GUICtrlCreateTabitem ( "Whois ")
$oIE = ObjCreate("Shell.Explorer.2")                            ;Include Embedded IE Object
$GUIActiveX = GUICtrlCreateObj  ($oIE,  10, 60 , 952 , 486)
GUICtrlSetStyle ( $GUIActiveX,  $WS_VISIBLE )                   ;Show IE Object on tab3
GUICtrlSetResizing ($GUIActiveX,$GUI_DOCKAUTO)
$oIE.navigate("<a href='http://www.ripe.net' class='bbc_url' title='External link' rel='nofollow external'>http://www.ripe.net"</a>)

;Tab3
$Tab3=GUICtrlCreateTabitem ( "Firewall Config ")

$Listbox1 = GUICtrlCreateList("", 10, 70, 930, 225)
GUICtrlSetResizing ($Listview,$GUI_DOCKAUTO)
GUICtrlCreateLabel("Applications allowed : ",15,55)
GUICtrlSetColor(-1,0xff0000)                                    ;Set Red color
GUICtrlSetFont (-1,7.5, 100, 4, $font)                          ;Set Font
Open_apps()

$Listbox2 = GUICtrlCreateList("", 10, 300, 930, 225)
GUICtrlSetResizing ($Listview,$GUI_DOCKAUTO)
GUICtrlCreateLabel("Open Ports : ",15,285)
GUICtrlSetColor(-1,0xff0000)
GUICtrlSetFont (-1,7.5, 100, 4, $font)
Open_ports()

$Link = GuiCtrlCreateLabel("Click here for more info : Port Database", 120, 285, 290, 12)
GUICtrlSetColor ( -1, 0x0000ff)                                 ;Set Blue color
GUICtrlSetFont (-1, 7.5 , 100 , 4 )                             ;Set Font
GUICtrlSetCursor ( -1, 0 )                                      ;Activate Hyperlink function
GetBrowser()

;Error checking : Test OS = XP/SP2 
;----------------------------------
If $OS <> "Win_XP"  Then
    MsgBox (0, "Your OS is not XP : ", $OS, 3)
    ElseIf  $SP <> "Service Pack 2"  Then
    MsgBox (0, "Your OS is not on SP2 : ", $SP, 3)
Else                                
$filename = "C:\WINDOWS\pfirewall.log"                          ;Open the file and read data
EndIf

Getdata()

;GUI handling
;------------
GuiSetState()

Dim $B_DESCENDING[_GUICtrlListViewGetSubItemsCount ($listview)] ;Used by Sort CLick Header

While 1
    $msg = GuiGetMsg()
    Select
    Case $msg = $GUI_EVENT_CLOSE
        ExitLoop
    Case $msg = $Tab1Combo                                      ;Read Combodata
        GUICtrlRead($Tab1Combo)
    Case $msg = $Tab2Combo 
        Do
         AutoRefresh()                                          ;Run AutoRefresh per second
         sleep ($Combo2Item * 1000)
         DeleteList()
         Getdata()
         Until $Combo2Item = 0 Or $msg = $GUI_EVENT_CLOSE
     Case $msg = $Button_ON                                     ;Read Firewall On/Off
         Status()
     Case $msg = $Whois
         ReadLine()
    Case $msg = $Listview                                       ;Sort the list by the column header clicked on
        _GUICtrlListViewSort($listview, $B_DESCENDING, GUICtrlGetState($Listview))
    Case $msg= $Link                                            ;Active Hyperlink
        run($HTTP,"",@SW_MAXIMIZE)      
    Case else
        If $msg = $Refrech Then
        DeleteList()
        Getdata()
        Status()
    EndIf
    EndSelect
WEnd
Exit

;Functions
;----------
Func Label()
    GUICtrlSetResizing ($Button_ON,$GUI_DOCKHEIGHT+$GUI_DOCKWIDTH)
    Opt("GUICoordMode",1)                                       ;Opt. Coordinate mode relative to $Button_ON
    GUICtrlDelete($status)
    $Status= GUICtrlCreateLabel("Your firewall is " & $Label_ON ,440,12,$SS_SUNKEN) 
EndFunc

Func Getdata()
$file = FileOpen($filename,0)
    If $file = -1 Then                                          ;Check if file is opened for reading, OK
    MsgBox(0, "Error", "Unable to open file. Make sure that your Firewall Logging is turned on !!")
        Exit
    EndIf
$combo1Item=Number(GUICtrlRead($Tab1combo))                     ;Get # of lines selected
$aArray = StringSplit(FileRead($file,FileGetSize($filename)),@LF);Read lines of text until the EOF is reached       
 for $i = (UBound($aArray) - 2) to $i+1-$combo1Item Step -1     ;Ubound read lines bottom up, to # of lines
    $string = StringSplit($aArray[$i], " ", 0)                  ;Split lines in 17 dimensions
    For $a=0 To 12                                              ;Assign each 13 dimensions to a new Array
      $avArray[$a]=$string[$a]
    next                                                        ;Create string for displaying in ListView
    $data=$avArray[1]&"|"&$avArray[2]&"|"&$avArray[3]&"|"&$avArray[4]&"|"&$avArray[5]&"|"_  
    &$avArray[6]&"|"&$avArray[7]&"|"&$avArray[8]&"|"&$avArray[9]&$avArray[10]&"|"&$avArray[11]&"|"&$avArray[12]&"|"&$avArray[13]
    $dataCol=GUICtrlCreateListViewItem($data,$listview)
Next
FileClose($file)
EndFunc
    
Func DeleteList()
    _GUICtrlListViewDeleteAllItems ($listview)  
EndFunc

Func AutoRefresh()
    $combo2Item=Number(GUICtrlRead($Tab2combo))                 ;Read # of seconds
EndFunc

Func Status()                                                   ;Check Firewell status using WMI 
        $objFirewall = ObjCreate("HNetCfg.FwMgr")
        $objPolicy = $objFirewall.LocalPolicy.CurrentProfile
        $on_off = $objPolicy.FirewallEnabled    
    If $on_off = -1 Then
        GUICtrlSetImage ($button_ON, "xpsp2res.dll",71)
        $label_ON = "enabled"
    Else 
        GUICtrlSetImage ($button_ON, "xpsp2res.dll",72)
        $label_ON = "disabled"      
    Endif
    Label()
EndFunc

Func GetBrowser()                                               ;Get Default Browser Registry setting
    $Browser = StringSplit(RegRead("HKLM\SOFTWARE\Classes\HTTP\shell\open\command",""),"%")
    $HTTP = $Browser[1] & " " & "www.portsdb.org/bin/portsdb.cgi"
EndFunc

Func ReadLine()                                                 ;Read Selected IP Address from ListView
    If $line = $LV_ERR Then
        MsgBox(0, "Retry Again", "Nothing Selected",5) 
    Elseif  (Not IsArray($line)) Then
            MsgBox(0, "Retry Again", "Nothing Selected, Click an item in the first column",5)
    EndIf
    $line = _GUICtrlListViewGetItemTextArray ($listview)
            For $ii = 1 To $line[0]
            Next
    $IP = $Line[5]  
        MsgBox(0, "Source IP Selected", $IP,5)
        RipeWhois()
EndFunc
    
Func Open_Apps()
    $i = 1
    Do
    $Apps = RegEnumVal("HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List", $i)
    $i = $i + 1
    $DataListApps = $DatalistApps & $Apps & "|"
    Until $Apps =""
    GUICtrlSetData($listbox1,$DataListApps)
EndFunc 

Func Open_Ports()
    $i = 1
    Do
    $Ports = RegEnumVal("HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List", $i)
    $i = $i + 1
    $DataListPorts =  $datalistPorts & $Ports & "|"
    Until $Ports =""
    GUICtrlSetData($Listbox2,$DataListPorts)
EndFunc 

Func RipeWhois() 
$URL = "<a href='http://www.ripe.net/whois?form_type=simple&full_query_string=&searchtext=%22&$IP&%22&do_search=Search' class='bbc_url' title='External link' rel='nofollow external'>http://www.ripe.net/whois?form_type=simple&full_query_string=&searchtext="&$IP&"&do_search=Search"</a>
$oIE.navigate($URL)
GUICtrlSetState($tab2,$GUI_SHOW)                                    ;Jump and Show Tab3
Endfunc

Suggestion are welcome !!

[Falling]

What version of autoit?

[ptrex]

@Falling

You can you the script in the BETA version of AutoIT.

or use the SciTe editor : open the script in this editor and press ALT + F5
For more info see :

http://www.autoitscript.com/forum/index.php?showtopic=13283

[dinodod]

Your app looks awesome. However, I ran into some issues and I don't know why. I have autoit v.3.1 and you are including the following au3 functions but I do not have these functions.

Advise?

#include <GuiListView.au3>
#include <GuiTab.au3>

Thanks!

[ptrex]

@dinodod

These includes are standard included which are available when you install the AutoIT application.

#include <GuiListView.au3>
#include <GuiTab.au3>

Make sure that you run the Firewall log Analyser script using the BETA version of AutoIT.

Or use the SciTe editor : open the script in this editor and press ALT + F5
For more info see :

http://www.autoitscript.com/forum/index.php?showtopic=13283

[gooober]

Thanks for the cool script...though I do not currently have any of the *.au3 files that are #includ'd.

Mark