Tuesday, May 30, 2006

Perl and Network Security Auditing

Network Auditing on a Shoestring tells the story of two auditors who wrote a custom, web-enabled, database-backed front end in Perl to handle the task of auditing share permissions on a 2000-user Windows network.

I have also found Perl tremendously useful for network auditing, although I tend to use it for data-munging. One of the modules I wrote is NetAddr::IP::Obfuscate, which I use to generate obfuscated Nessus reports, but which will work on any text file with IP addresses in it. I've also posted a Perl script I use to do bulk reverse-DNS lookups.

One quick story - I had a client who suspected one of his network admins was reading other employee's email, using Outlook to open and view MS Exchange mailboxes. They wanted to know who had been accessing certain mailboxes and when. I had them send me daily event logs, exported as text, then used Perl to parse the logs, looking for the mailbox events and specific user accounts, finally generating a CSV report (of course, Exchange can't distinguish between accesses of a mailbox, calendar, journal, etc., but the data was still useful).

, ,

No comments: