I am trying to trim extra characters over 48 with the following addition, but it doesn't work. What could be wrong?
rsyslog.conf (without change)
$ActionQueueType LinkedList
$ActionQueueFileName srvrfwd
$ActionResumeRetryCount -1
$ActionQueueSaveOnShutdown on
$ModLoad imudp #loads the udp module
$UDPServerAddress XX.XX.YY.ZZ
$UDPServerRun 514
*.* #127.0.0.1:6514;RSYSLOG_SyslogProtocol23Format
rsyslog.conf (with addition)
$ActionQueueType LinkedList
$ActionQueueFileName srvrfwd
$ActionResumeRetryCount -1
$ActionQueueSaveOnShutdown on
$ModLoad imudp #loads the udp module
$UDPServerAddress XX.XX.YY.ZZ
$UDPServerRun 514
set $.APPNAME47 = substring($app-name, 0, 47);
template(name="trimmer" type="string"
string="<%PRI%>1 %TIMESTAMP:::date-rfc3339% %HOSTNAME% %$.APPNAME47% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n")
*.* #127.0.0.1:6514;trimmer
this worked fine.
template(name="trimmer" type="string" string="<%PRI%>1 %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME:1:46% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n")
*.* #127.0.0.1:6514;trimmer
Related
i am trying to run phpseclib with Wordpress but its not logging in. the same code runs on PHP Designer 8 which has PHP v 5.* but on word press with PHP 7.3* and PHP 7.4 its not running. I got 2 error in Eventviewer
sshd: Bad packet length 980908999. [preauth]
sshd: ssh_dispatch_run_fatal: Connection from 127.0.0.1 port 15412: message authentication code incorrect [preauth]
SFTP server is Openssh
it gives 2 warnings on the webpage as follows. Can someone guide please. thanks.
Warning: unpack(): Type C: not enough input, need 1, have 0 in C:\Program Files (x86)\xampp\htdocs\testing\wp-content\plugins\sftp\phpseclib\Net\SSH2.php on line 1345
Warning: extract() expects parameter 1 to be array, bool given in C:\Program Files (x86)\xampp\htdocs\testing\wp-content\plugins\sftp\phpseclib\Net\SSH2.php on line 1345
$sftp = new Net_SFTP('127.0.0.1',22); $sftp->getLog(); if
(!$sftp->login('myuser', 'pass')) { //if you can't log on...
$sftp->getLog(); echo $sftp->getErrors();
print_r($sftp->getSFTPErrors()); echo $sftp->getSFTPLog();
exit('sftp Login Failed'); } echo $sftp->pwd();
I am working with my Security Onion and at the moment all the longer PCRE is not working, because the rules and the regex is not applied to the TCP stream but only to single packets.
My Snort.conf should have everything enabled:
# Target-based IP defragmentation. For more inforation, see README.frag3
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy windows detect_anomalies overlap_limit 10 min_fragment_length 100 timeout 180
# Target-Based stateful inspection/stream reassembly. For more inforation, see README.stream5
preprocessor stream5_global: track_tcp yes, \
track_udp yes, \
track_icmp no, \
max_tcp 262144, \
max_udp 131072, \
max_active_responses 2, \
min_response_seconds 5
preprocessor stream5_tcp: log_asymmetric_traffic no, policy windows, \
detect_anomalies, require_3whs 180, \
overlap_limit 10, small_segments 3 bytes 150, timeout 180, \
ports client 21 22 23 25 42 53 79 109 110 111 113 119 135 136 137 139 143 \
161 445 513 514 587 593 691 1433 1521 1741 2100 3306 6070 6665 6666 6667 6668 6669 \
7000 8181 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779, \
ports both 80 81 311 383 443 465 563 591 593 636 901 989 992 993 994 995 1220 1414 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7907 7000 7001 7144 7145 7510 7802 7777 7779 \
7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 7910 7911 7912 7913 7914 7915 7916 \
7917 7918 7919 7920 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090 9091 9443 9999 11371 34443 34444 41080 50002 55555
preprocessor stream5_udp: timeout 180
Now I got a node.js server up with a simple XML file (I made it a little bit shorter):
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response Destination="http://localhost:8080/sp/saml/index.html"
ID="_28940080d39ea1191d9910414147f372"
InResponseTo="_15b217492a05e534df8539c7a84014cd"
IssueInstant="2018-07-24T16:04:13.830Z" Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">eLearning SAML SSO IdP</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:Assertion ID="_evil_assertion_ID"
IssueInstant="2018-07-24T16:04:13.831Z" Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer>eLearning SAML SSO IdP</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">xmluser</saml2:NameID>
[..........................]
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</saml2p:Response>
A rule matching only the content:"saml2p:response" or a small regex like pcre:"/saml2p:Response/smi" is working without problem, but a rule with a longer regex is not matching the pattern.
I made my rule as generic as possible:
alert tcp any any -> any any (msg:"ET WEB_SERVER SAML XSW3 Attack, Possible Signature Wrapping Attack v15"; pcre:"/saml2p:Response.*?/saml2p:Response/smi"; reference:url,https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final91.pdf; classtype:web-application-attack; sid:200000120; rev:1;)
edit: I have also tried this rule with all versions of flow:from_server,established; (to_server, from_client, to_client). None of them is working for me. But when I cut down the xml to a size which fits in one packet, all rules are firing!
The Regex pcre:"/saml2p:Response.*?/saml2p:Response/smi" should match everything from the first response tag to the closing response tag, but whenever it is splitted into different TCP Packets the regex is not matching.
Do i miss anything?
Thanks for your help!
I want to log incoming syslog from my router to a file. I recieve the syslog with
nc -l -u -p 514 > syslog.log
The incoming lines are made of several fields that are separated by a whitespace.
Here are two complete sample lines from syslog:
<4>Nov 29 16:15:29 kernel: [ 3571.330000] DROP IN=vlan2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=1.235.114.117 DST=1.52.79.209 LEN=337 TOS=0x00 PREC=0x00 TTL=115 ID=30831 PROTO=UDP SPT=161 DPT=220 LEN=317
<4>Nov 29 16:15:30 kernel: [ 3572.200000] DROP IN=vlan2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=7.27.203.227 DST=122.2.79.209 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=44018 DF PROTO=TCP SPT=5108 DPT=220 SEQ=3468909622 ACK=0 WIND
I want only the Time,SRC,PROTO,SPT,DPT fields in my logifile so I thought I could use something like this as a test for DST and SRC only:
nc -l -u -p 514 | egrep -o 'SRC=[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}|DST=[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}' > syslog.log
Unfortatly this prints every field in a new line like this:
SRC=1.235.114.117
DST=1.52.79.209
SRC=7.27.203.227
DST=122.2.79.209
I then want a output looking simmilar to this corresponding to the first line:
Time,SRC,PROTO,SPT,DPT
Nov 29 16:15:29,7.27.203.227,TCP,5108,220
There is another problem. Sometimes I receive lines that does not contain a "DS" field like in the second line of the samples. So counting fields with awk separators seems not to work since they are not consistent.
Anyone an idea how I can do this?
As #twalberg suggested I now use syslog-ng.
this is my syslog-ng.conf:
#version: 3.7
#include "scl.conf"
options {
threaded(yes);
chain_hostnames(no);
stats_freq(43200);
mark_freq(3600);
};
source s_udp { udp(port(514)); };
parser p_kv {kv-parser(prefix(".kv.")); };
destination d_router_file { file("/var/log/firewall_drops.csv" template("${DATE},${.kv.SRC}${.kv.PROTO},${.kv.SPT},${.kv.DPT}\n")); };
log { source(s_udp);parser(p_kv);destination(d_router_file); };
What would the easiest way to parse the Data section from this STAF command be?
Cannot find a STAF parameter which I can pass to the command to automatically do this,
so looks like parsing/regular expression might be best option?
Note: I do not want to use any external libraries.
[root#source ~]# STAF target PROCESS START SHELL COMMAND "ls" WAIT RETURNSTDOUT
Response
--------
{
Return Code: 0
Key : <None>
Files : [
{
Return Code: 0
Data : myFile.txt
myFile2.txt
myFile3.txt
}
]
}
Instead I would like the output/result to be formated like ..
[root#source ~]# STAF target PROCESS START SHELL COMMAND "ls" WAIT RETURNSTDOUT
myFile.txt
myFile2.txt
myFile3.txt
Best way to this is Create a XML file and use python script to access the data part of STAFResult since STAF Return data in Marshalled form as "CONTENT" and python can be use to grab that.
I will try to explain it with simple example, Its an HTTP request to server.
<stafcmd>
<location>'%s'%machineName</location>
<service>'http'</service>
<request>'DOGET URL %s?phno=%s&shortCode=%s&query=%s' % (url, phno, shortCode, escapeQuery)</request>
</stafcmd>
<if expr="RC == 0">
<sequence>
<call function="'func_Script'"></call>
<if expr="rc == 0"> <!-- Pass At First Query -->
<sequence>
<message>'PASS#Fisrt HTTPRequest: Keyword = %s,\nRequired Response = %s,\ncontent=%s' %(query, response, content)</message>
<tcstatus result="'pass'">'Pass:' </tcstatus>
</sequence>
<else> <!-- Check For MORE -->
<call function="'Validate_QueryMore'"> </call>
</else>
</if>
</sequence>
<else>
<message>'ERROR: HTTPRequest QUERY : RC = %s Result= %s' %(rc,STAFResult)</message>
</else>
</if>
<function name="func_Script">
<script>
import re
content = STAFResult['content'].lower()
response = response.lower()
test = content.find(response)
if test != -1:
rc = 0
else:
rc = 1
</script>
</function>
Hope It will give you some Help.
You can pipe the output of your command through an sed script that will filter out only the filenames for you. Here's a first cut:
sed -ne '/^[a-z]/p;/Data/s/[^:]*: \(.*\)/\1/p'
The idea is: If a line starts with a lower-case letter, that's a file name (expression up to the first semicolon). If the string "Data" is on the line, take everything that comes after the first colon in that line (expression after the semicolon). Everything else is ignored.
You might want to be more specific than just expecting a lower-case letter at the beginning (this would filter out the "Response" line at the beginning, but if your filename might start with an upper-case letter, that won't work). Also, just looking for the string "Data" might be a bit too general -- that string might occur in the filename as well. But hopefully you get the idea. To use this, run your command like this:
STAF ... | sed -ne ...
we have running tomcat server and in server.xml file we have password=secret I want to search and replace my password with xxxxxxx string. how do i craft regex for it? following is line where password i located in server.xml file
<Resource auth="Container" description="Database connection for Production" driverClassName="oracle.jdbc.OracleDriver" factory="org.apache.commons.dbcp.BasicDataSourceFactory" maxActive="25" maxIdle="5" maxWait="5000" name="jdbc/osdb" password="secret" type="javax.sql.DataSource" url="jdbc:oracle:thin:#DB0001" username="admin"/>
Would something like:
sed -i 's/password="[a-zA-Z0-9]\+"/password="foo"/g' server.xml
do the job for you or are you expecting there to be other lines like password="xyz" ?