SecondEdit: We have command line auditing enabled and the logs going to elasticsearch. Basically, I'll be doing this subst in logstash, or trying to. It's actually been almost nil but I'm trying to cover all the bases.
We are monitoring cmd line activity on hosts and while it's policy that you aren't supposed to enter your password in clear text on the cmd line, people will.
So I'm looking for a way to detect when someone enters their password and then subst out the password for hashes. The 1.1.1.8 is an example, it could be any ip address.
From this I want to detect if there is a password there
net use I: \1.1.1.8\E$ /user:domain\username password /persistent:yes
Look behind, almost seems to have it but I can't get it to stop after the space after username...
(?<=/user:)(.*)(?<=\s)
net use I: \1.1.1.8\E$ /user:domain\username password /persistent:yes
when I need it to get -
net use I: \1.1.1.8\E$ /user:domain\username password /persistent:yes
https://regexr.com/3i6va
... it would be something like this to gsub the password out and replace with ###
filter {
if [event_id] == 4688 {
mutate {
gsub => ["[event_data][CommandLine]", "(?<=\/user:)(.*)(?<=\s)",
"########" ]
}
}
}
Related
I am trying to create a Form with apps script and for some reason it will not allow the simplest phone number validation in a TextItem input field. I only need the user to enter their 10 digit number with no spaces, dashes, dots, with area code included. I know this isn't the technical "best" way to validate phone numbers but for our purposes it works. This is section of code I have to generate the field. (edited to make a more reproducible example)
function CreateForm() {
var form = FormApp.create('Test');
var tenantNum = form.addTextItem()
.setTitle("Tenant Phone #");
var phoneValid = FormApp.createTextValidation()
.setHelpText("Please enter valid phone number, 10-digits, no symbols or spaces.")
.requireTextMatchesPattern(/\d{10}/g)
.build();
tenantNum.setValidation(phoneValid);
console.log(form.getPublishedUrl())
}
I have also tried other things like:
(No capture group or global tag, both individually)
.requireTextMatchesPattern(/\d{10}/)
Entering the regex as a string literal.
.requireTextMatchesPattern("\d{10}")
Even dumdum stuff like.
.requireTextMatchesPattern(/[0-9]{10}/)
or
.requireTextMatchesPattern(/\d\d\d\d\d\d\d\d\d\d/)
Just to see if it works. I have also tried .requireTextContainsPattern() as well.
Whenever you enter in the form however i get this response:
Please enter valid phone number, 10-digits, no symbols or spaces.
My only thought is that there might be some confusion with whether or not the user is entering a string vs. number and this method only works on strings. But this validation
and regex work fine when you enter it into the form creation manually so I'm completely lost. Any help is appreciated!
Just a guess... Try this:
.requireTextMatchesPattern("\\d{10}")
Update
It works fine for me:
function CreateForm() {
var form = FormApp.create('Test');
var tenantNum = form.addTextItem()
.setTitle("Tenant Phone #");
var phoneValid = FormApp.createTextValidation()
.setHelpText("Please enter valid phone number, 10-digits, no symbols or spaces.")
.requireTextMatchesPattern("\\d{10}")
.build();
tenantNum.setValidation(phoneValid);
console.log(form.getPublishedUrl())
}
And the "not existed" method setHelpText() works fine as well, as you can tell from the screenshots.
I run a command in CMD through my C++ app which saves the output from that command. In that output, there is a port number and a remote API token, that changes upon each restart of the application im targeting.
This is the output I'm getting through my CMD command, which I store in a string:
"C:/Riot Games/League of Legends/LeagueClientUx.exe" "--riotclient-auth-token=5NFOIOqKB9EfSVsxBMrFUw" "--riotclient-app-port=63498" "--no-rads" "--disable-self-update" "--region=EUW" "--locale=en_GB" "--remoting-auth-token=***vx5yZOk_TkAt9YKq-PEucw***" "--respawn-command=LeagueClient.exe" "--respawn-display-name=League of Legends" "--app-port=63530" "--install-directory=C:\Riot Games\League of Legends" "--app-name=LeagueClient" "--ux-name=LeagueClientUx" "--ux-helper-name=LeagueClientUxHelper" "--log-dir=LeagueClient Logs" "--crash-reporting=crashpad" "--crash-environment=EUW1" "--crash-pipe=\\.\pipe\crashpad_19692_AJMBMQYOZVYYJMRF" "--app-log-file-path=C:/Riot Games/League of Legends/Logs/LeagueClient Logs/2020-07-09T12-55-09_19692_LeagueClient.log" "--app-pid=19692" "--output-base-dir=C:\Riot Games\League of Legends" "--no-proxy-server"
I've tried some stuff with the regex library, and managed to split my results up into words, but I still can't figure out how I save a specific line, that is the port number and the result of remoting-auth-token="characters I want to save".
My code to find out how many words are in the output string:
std::string output = exec("wmic PROCESS WHERE name='LeagueClientUx.exe' GET commandline");
std::regex wregex("(\\w+)");
auto words_begin = std::sregex_iterator(output.begin(), output.end(), wregex);
auto words_end = std::sregex_iterator();
std::cout << "Found: " << std::distance(words_begin, words_end) << std::endl;
PrintMatch(words_begin, words_end);
Output:
´´
Found: 110 CommandLine, C, Riot, Games, League, of, Legends, LeagueClientUx, exe, riotclient, auth, token, 5NFOIOqKB9EfSVsxBMrFUw, riotclient, app, port, 63498, no, rads, disable, self, update, region, EUW, locale, en_GB, remoting, auth, token, vx5yZOk_TkAt9YKq, PEucw, respawn, command, LeagueClient, exe, respawn, display, name, League, of, Legends, app, port, 63530, ´´ And a bit more but character restriction limits me, however the output which I need to store is there. I've set commas to mark new lines in the output.
‘’
It depends on what you mean by "save". Save to file or just assign to a variable? My guess is that you are confused about how iterators work and are wondering how you can fetch the remote-auth-token and the port number to from the words_begin variable. If the number of "words" in the cmd output is always the same you can use:
std::advance(words_begin,16);
std::string port = words_begin->str();
std::advance(words_begin,13);
std::string authToken = words_begin->str();
now, normally you would write the regex so as to only match the part you are interested in. Currently, since you are matching every "word", you are dependent on what position the remote auth token and port number are in the cmd output which might cause your application to break if that output ever changes order or add another word in front.
https://github.com/dialogflow/fulfillment-regex-nodejs
shows an easy way to perform a regex validation, however I haven't succeeded in creating one for email addresses.
from the original regex i changed the pattern to [^\s]*#[a-z0-9.-]
changed the dialogflow parameter to email with $email and kept the rest the same.
function validateEmployeeID (agent) {
// get the employee ID parameter from the request header received from Dialogflow
let email = agent.parameters.email;
let pattern = /[^\s]*#[a-z0-9.-]/;
if (email.match(pattern) !== null)
{ agent.add(`Email is wrong, please provide a valid email address.`); }
else { agent.add(agent.request_.body.queryResult.fulfillmentText); }
}
If you just want to create a regex for email validation then there are lots of links available.
You may try the below one from here.
/[A-Z0-9._%+-]+#[A-Z0-9-]+.+.[A-Z]{2,4}/igm
and test it online here
after some research, I have had success with this regex
^[a-zA-Z0-9.!#$%&'*+\/=?^_`{|}~-]+#[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$
more info here for others interested; https://blog.dialogflow.com/post/validate-entities-using-regular-expressions-in-fulfillment/
I need to send a custom email message to every User of a list ( List < User > ) I have. (I'm using C# .NET)
What I would need to do is to replace all the expressions (that start with "[?&=" have "variableName" in the middle and then ends with "]") with the actual User property value.
So for example if I have a text like this:
"Hello, [?&=Name]. A gift will be sent to [?&=Address], [?&=Zipcode], [?&=Country].
If [?&=Email] is not your email address, please contact us."
I would like to get this for the user:
"Hello, Mary. A gift will be sent to Boulevard Spain 918, 11300, Uruguay.
If marytech#gmail.com is not your email address, please contact us."
Is there a practical and clean way to do this with Regex?
This is a good place to apply regex.
The regular expression you want looks like this /\[\?&=(\w*)\]/ example
You will need to do a replace on the input string using a method that allows you to use a custom function for replacement values. Then inside that function use the first capture value as the Key so to say and pull the correct corresponding value.
Since you did not specify what language you are using I will be nice and give you an example in C# and JS that I made for my own projects just recently.
Pseudo-Code
Loop through matches
Key is in first capture group
Check if replacements dict/obj/db/... has value for the Key
if Yes, return Value
else return ""
C#
email = Regex.Replace(email, #"\[\?&=(\w*)\]",
match => //match contains a Key & Replacements dict has value for that key
match?.Groups[1].Value != null
&& replacements.ContainsKey(match.Groups[1].Value)
? replacements[match.Groups[1].Value]
: "");
JS
var content = text.replace(/\[\?&=(\w*)\]/g,
function (match, p1) {
return replacements[p1] || "";
});
I need to extract a username from the log below via regex for a log collector.
Due to the nature of the logs we're getting its not possible to define exactly how many forward slashes are going to be available and I need to select a specific piece of data, as there are multiple occurances of similar formatted data.
Required data:
name="performedby" label="Performed By" value="blah.com/blah/blah blah/blah/**USERNAME**"|
<46>Jun 23 10:38:49 10.51.200.76 25113 LOGbinder EX|3.1|success|2016-06-23T10:38:49.0000000-05:00|Add-MailboxPermission Exchange cmdlet issued|name="occurred" label="Occurred" value="6/23/2016 10:38:49 AM"|name="cmdlet" label="Cmdlet" value="Add-MailboxPermission"|name="performedby" label="Performed By" value="blah.com/blah/blah blah/blah/USERNAME"|name="succeeded" label="Succeeded" value="Yes"|name="error" label="Error" value="None"|name="originatingserver label="Originating Server" value="black"|name="objectmodified" label="Object Modified" value="blah/blah/USERNAME"|name="parameters" label="Parameters" value="Name: Identity, Value: [blah]Name: User, Value: [blah/blah]Name AccessRights, Value: [FullAccess]Name: InheritanceType, Value: [All]"|name="properties" label="Modified Properties" value="n/a"|name="additionalinfo" label="Additional Information"
I've tried a few different regex commands but I'm not able to extract the necessary information without exactly stating how many / there will be.
blah\.com[.*\/](.*?)"\|name
Try this :
blah\.com.*\/(.*?)"\|
Check here
If your username format is this :
value="abc.xyz/something/something/..../USERNAME"
then use this :
\..*\/(.*?)"
check here
Possible solution:
value="[a-z\.\/]*\/(.*)"
(The first capture group is the username)
Working example:
https://regex101.com/r/qZ0zC8/2
Mayby like this?
blah.(\w+\/)+\K([\w]+)
It's catch Username but since it's between ** so I also match them
tested in notepad++