deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 05:47:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Update event-5155.md

Browse Source
This commit is contained in:
MaratMussabekov 2019-08-26 17:22:11 +05:00 committed by GitHub
parent 3b8b5a4915
commit c68106b37c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 105 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

128
windows/security/threat-protection/auditing/event-5155.md
View File

@ -24,35 +24,47 @@ By default Windows firewall won't prevent a port from being listened by an appli
You can add your own filters using the WFP APIs to block listen to reproduce this event: <https://msdn.microsoft.com/library/aa364046(v=vs.85).aspx>. You can add your own filters using the WFP APIs to block listen to reproduce this event: <https://msdn.microsoft.com/library/aa364046(v=vs.85).aspx>.
There is no event example in this document.
***Subcategory:***&nbsp;[Audit Filtering Platform Connection](audit-filtering-platform-connection.md) ***Subcategory:***&nbsp;[Audit Filtering Platform Connection](audit-filtering-platform-connection.md)
***Event Schema:*** ***Event Description:***
*The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.* This event generates every time [Windows Filtering Platform](https://docs.microsoft.com/windows/win32/fwp/windows-filtering-platform-start-page) blocks an application or service from listening on a port for incoming connections.
*Application Information:* <br clear="all">
> *Process ID:%1* ***Event XML:***
> ```
> *Application Name:%2* <Event
xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5155</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12810</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2019-04-18T03:49:08.507780900Z" />
<EventRecordID>42196</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="2788" />
<Channel>Security</Channel>
<Computer>NATHAN-AGENT2</Computer>
<Security />
</System>
<EventData>
<Data Name="ProcessId">2628</Data>
<Data Name="Application">\device\harddiskvolume2\users\test\desktop\netcat\nc.exe</Data>
<Data Name="SourceAddress">0.0.0.0</Data>
<Data Name="SourcePort">5555</Data>
<Data Name="Protocol">6</Data>
<Data Name="FilterRTID">84576</Data>
<Data Name="LayerName">%%14609</Data>
<Data Name="LayerRTID">40</Data>
</EventData>
</Event>
*Network Information:* ```
> *Source Address:%3*
>
> *Source Port:%4*
>
> *Protocol:%5*
*Filter Information:*
> *Filter Run-Time ID:%6*
>
> *Layer Name:%7*
>
> *Layer Run-Time ID:%8*
***Required Server Roles:*** None. ***Required Server Roles:*** None.
@ -60,6 +72,76 @@ There is no event example in this document.
***Event Versions:*** 0. ***Event Versions:*** 0.
***Field Descriptions:***
**Application Information**:
- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process which was permitted to bind to the local port. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
<img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
<!-- -->
- **Application Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
Logical disk is displayed in format \\device\\harddiskvolume\#. You can get all local volume numbers by using **diskpart** utility. The command to get volume numbers using diskpart is “**list volume”**:
<img src="images/diskpart.png" alt="DiskPart illustration" width="786" height="246" />
**Network Information:**
- **Source Address** \[Type = UnicodeString\]**:** the local IP address of the computer running the application.
- IPv4 Address
- IPv6 Address
- :: - all IP addresses in IPv6 format
- 0.0.0.0 - all IP addresses in IPv4 format
- 127.0.0.1 , ::1 - localhost
- **Source Port** \[Type = UnicodeString\]**:** the port number used by the application.
- **Protocol** \[Type = UInt32\]: the protocol number being used.
| Service | Protocol Number |
|----------------------------------------------------|-----------------|
| Internet Control Message Protocol (ICMP) | 1 |
| Transmission Control Protocol (TCP) | 6 |
| User Datagram Protocol (UDP) | 17 |
| General Routing Encapsulation (PPTP data over GRE) | 47 |
| Authentication Header (AH) IPSec | 51 |
| Encapsulation Security Payload (ESP) IPSec | 50 |
| Exterior Gateway Protocol (EGP) | 8 |
| Gateway-Gateway Protocol (GGP) | 3 |
| Host Monitoring Protocol (HMP) | 20 |
| Internet Group Management Protocol (IGMP) | 88 |
| MIT Remote Virtual Disk (RVD) | 66 |
| OSPF Open Shortest Path First | 89 |
| PARC Universal Packet Protocol (PUP) | 12 |
| Reliable Datagram Protocol (RDP) | 27 |
| Reservation Protocol (RSVP) QoS | 46 |
**Filter Information:**
- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID which blocks the application from binding to the port. By default, Windows firewall won't prevent a port from binding by an application, and if this application doesnt match any filters, you will get value 0 in this field.
To find specific Windows Filtering Platform filter by ID you need to execute the following command: **netsh wfp show filters**. As a result of this command, **filters.xml** file will be generated. You need to open this file and find the specific substring with the required filter ID (**&lt;filterId&gt;**)**,** for example:
<img src="images/filters-xml-file.png" alt="Filters.xml file illustration" width="840" height="176" />
- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**&lt;layerId&gt;**)**,** for example:
<img src="images/wfpstate-xml.png" alt="Wfpstate xml illustration" width="1563" height="780" />
## Security Monitoring Recommendations ## Security Monitoring Recommendations
- If you use Windows Filtering Platform APIs to block application or services from listening on a port, then you can use this event for troubleshooting and monitoring. - If you use Windows Filtering Platform APIs to block application or services from listening on a port, then you can use this event for troubleshooting and monitoring.