What we just saw is the source code as I used it to perform an experiment to verify if LogAgent could deliver its promises. So I decided to monitor the log files from 4 different, unrelated applications, and forward any input made to these files to a central log file directory located on UNC share name \\DARKSIDE\Log$ (Note: because I don't have the technical means at the moment, I don't have much of a networked environment to work on. This means that DARKSIDE is also localhost. I assume that this would have also worked if DARKSIDE was remote. Please notify me if I am mistaken).
The applications monitored were Grisoft AVG AntiVirus, ZoneLabs ZoneAlarm, Headlight Software GetRight, and COTSE Winetd. I don't see how monitoring GetRight log files could be useful in a security context, but I needed a good test bed, and GetRight spans more log than the other applications, so this is why we see it here. The Log$ share was empty prior the beginning of the test. I copied a shortcut pointing to LogAgent.pl in the startup folder, and rebooted in order to get a fresh user session. Then I proceeded to generate activity that would be logged by the mentioned applications. After I disconnected from the Internet, I proceeded to collect the results. Here's what was in the central Log$ directory:
D:\Log>dir
Volume in drive D is D
Volume Serial Number is 0840-C01D
Directory of D:\Log
09/25/00 08:31p .
09/25/00 08:31p ..
09/25/00 08:31p 373 bind.log
09/25/00 07:44p 2,483 getright.log
09/25/00 07:38p 8,768 IAMDB.RDB
09/25/00 08:31p 41 restart.log
09/25/00 08:31p 36 shutdown.log
09/25/00 08:31p 104 startup.log
09/25/00 07:38p 366 ZALog.txt
9 File(s) 12,171 bytes
902,415,872 bytes free
bind.log, restart.log, shutdown.log and startup.log all belongs to Winetd, getright.log belongs of course to GetRight, and ZALog.txt belongs to ZoneAlarm. IAMDB.RDB also belongs to ZoneAlarm, but I don't know exactly what is its purpose. Since it is not relevant for our analysis (because it contains no useful data), I simply disregard it. Here's the content of the other files:
bind.log
bind() listening to port 3 - 18:53:18 - 09/25/2000
bind() listening to port 13 - 18:53:18 - 09/25/2000
bind() listening to port 23 - 18:53:18 - 09/25/2000
bind() listening to port 25 - 18:53:18 - 09/25/2000
bind() listening to port 137 - 18:53:18 - 09/25/2000
bind() listening to port 139 - 18:53:18 - 09/25/2000
bind() listening to port 139 - 18:53:18 - 09/25/2000
getright.log
2000/09/25-19:04:36: File: D:\downloads\Hack\telnet server\fd-update.zip.GetRight = http://rapidus.tucows.com/files/fd-update.zip
2000/09/25-19:04:39: (Re)Started download: http://rapidus.tucows.com/files/fd-update.zip
2000/09/25-19:04:40: Could not resume (restarting from 0): http://rapidus.tucows.com/files/fd-update.zip
2000/09/25-19:04:58: (Re)Started download: http://rapidus.tucows.com/files/fd-update.zip
2000/09/25-19:04:58: Could not resume (restarting from 0): http://rapidus.tucows.com/files/fd-update.zip
2000/09/25-19:05:16: File: D:\downloads\Hack\telnet server\fd-update.zip.GetRight = http://rapidus.tucows.com/files/fd-update.zip
2000/09/25-19:05:16: (Re)Started download: http://rapidus.tucows.com/files/fd-update.zip
2000/09/25-19:05:17: Could not resume (restarting from 0): http://rapidus.tucows.com/files/fd-update.zip
2000/09/25-19:09:20: File: D:\downloads\Hack\proxy\CProxy.zip.GetRight = http://rapidus.tucows.com/files2/CProxy.zip
2000/09/25-19:09:21: (Re)Started download: http://rapidus.tucows.com/files2/CProxy.zip
2000/09/25-19:09:22: Resumed: http://rapidus.tucows.com/files2/CProxy.zip at: 0
2000/09/25-19:10:28: File: D:\downloads\Hack\proxy\as-setup.exe.GetRight = http://rapidus.tucows.com/files2/as-setup.exe
2000/09/25-19:10:28: (Re)Started download: http://rapidus.tucows.com/files2/as-setup.exe
2000/09/25-19:10:33: Resumed: http://rapidus.tucows.com/files2/as-setup.exe at: 0
2000/09/25-19:13:23: File: D:\downloads\Hack\telnet server\fd-update.zip.GetRight = http://cny.tucows.com/files/fd-update.zip
2000/09/25-19:13:27: (Re)Started download: http://cny.tucows.com/files/fd-update.zip
2000/09/25-19:13:27: Could not resume (restarting from 0): http://cny.tucows.com/files/fd-update.zip
2000/09/25-19:13:33: (Re)Started download: http://rapidus.tucows.com/files2/CProxy.zip
2000/09/25-19:13:35: Resumed: http://rapidus.tucows.com/files2/CProxy.zip at: 519767
2000/09/25-19:13:35: (Re)Started download: http://rapidus.tucows.com/files2/as-setup.exe
2000/09/25-19:13:40: Resumed: http://rapidus.tucows.com/files2/as-setup.exe at: 49638
2000/09/25-19:30:36: Finished downloading: http://rapidus.tucows.com/files2/CProxy.zip
2000/09/25-19:31:50: (Re)Started download: http://rapidus.tucows.com/files2/as-setup.exe
2000/09/25-19:31:51: Resumed: http://rapidus.tucows.com/files2/as-setup.exe at: 49638
2000/09/25-19:44:25: Finished downloading: http://rapidus.tucows.com/files2/as-setup.exe
restart.log
server restart- - 10:34:15 - 09/25/2000
shutdown.log
shutdown - - 10:29:40 - 09/25/2000
startup.log
Starting Server: darkside - 18:53:17 - 09/25/2000
Starting Server: darkside - 18:53:17 - 09/25/2000
ZALog.txt
PE,2000/09/25,18:53:00 -5:00 GMT,ZoneAlarm Internet Security Utility,203.110.251.2:53,N/A
FWIN,2000/09/25,18:57:00 -5:00 GMT,65.229.239.88:1901,65.227.240.78:139,TCP
FWIN,2000/09/25,19:19:22 -5:00 GMT,65.228.69.89:2936,65.227.240.78:139,TCP
PE,2000/09/25,19:37:49 -5:00 GMT,Xnews,203.110.251.2:53,N/A
PE,2000/09/25,19:38:06 -5:00 GMT,Xnews,203.110.251.2:53,N/A
2. The source code
4. Conclusion
Table of contents