I run a command in CMD through my C++ app which saves the output from that command. In that output, there is a port number and a remote API token, that changes upon each restart of the application im targeting.
This is the output I'm getting through my CMD command, which I store in a string:
"C:/Riot Games/League of Legends/LeagueClientUx.exe" "--riotclient-auth-token=5NFOIOqKB9EfSVsxBMrFUw" "--riotclient-app-port=63498" "--no-rads" "--disable-self-update" "--region=EUW" "--locale=en_GB" "--remoting-auth-token=***vx5yZOk_TkAt9YKq-PEucw***" "--respawn-command=LeagueClient.exe" "--respawn-display-name=League of Legends" "--app-port=63530" "--install-directory=C:\Riot Games\League of Legends" "--app-name=LeagueClient" "--ux-name=LeagueClientUx" "--ux-helper-name=LeagueClientUxHelper" "--log-dir=LeagueClient Logs" "--crash-reporting=crashpad" "--crash-environment=EUW1" "--crash-pipe=\\.\pipe\crashpad_19692_AJMBMQYOZVYYJMRF" "--app-log-file-path=C:/Riot Games/League of Legends/Logs/LeagueClient Logs/2020-07-09T12-55-09_19692_LeagueClient.log" "--app-pid=19692" "--output-base-dir=C:\Riot Games\League of Legends" "--no-proxy-server"
I've tried some stuff with the regex library, and managed to split my results up into words, but I still can't figure out how I save a specific line, that is the port number and the result of remoting-auth-token="characters I want to save".
My code to find out how many words are in the output string:
std::string output = exec("wmic PROCESS WHERE name='LeagueClientUx.exe' GET commandline");
std::regex wregex("(\\w+)");
auto words_begin = std::sregex_iterator(output.begin(), output.end(), wregex);
auto words_end = std::sregex_iterator();
std::cout << "Found: " << std::distance(words_begin, words_end) << std::endl;
PrintMatch(words_begin, words_end);
Output:
´´
Found: 110 CommandLine, C, Riot, Games, League, of, Legends, LeagueClientUx, exe, riotclient, auth, token, 5NFOIOqKB9EfSVsxBMrFUw, riotclient, app, port, 63498, no, rads, disable, self, update, region, EUW, locale, en_GB, remoting, auth, token, vx5yZOk_TkAt9YKq, PEucw, respawn, command, LeagueClient, exe, respawn, display, name, League, of, Legends, app, port, 63530, ´´ And a bit more but character restriction limits me, however the output which I need to store is there. I've set commas to mark new lines in the output.
‘’
It depends on what you mean by "save". Save to file or just assign to a variable? My guess is that you are confused about how iterators work and are wondering how you can fetch the remote-auth-token and the port number to from the words_begin variable. If the number of "words" in the cmd output is always the same you can use:
std::advance(words_begin,16);
std::string port = words_begin->str();
std::advance(words_begin,13);
std::string authToken = words_begin->str();
now, normally you would write the regex so as to only match the part you are interested in. Currently, since you are matching every "word", you are dependent on what position the remote auth token and port number are in the cmd output which might cause your application to break if that output ever changes order or add another word in front.
I need to parse an Apache log file and output IP, URL, and URL status code into hashes but don't know how to put the elements into a hash.
My code uses regular expressions to get the info I need from each line of the log file:
line_array = File.readlines("access_log")
line_array.each { |line| }
#regexp
md = (/^([:\d\.]+) .*\[.*\].*\"[A-Z]+ *(.+) HTTP\S*\s(\d+)/).match(line)
ip = md[1]
url = md[2]
status = md[3]
Is my current code even on the right track to be able to do this?
I need the hashes to display the item and then the frequency of said item. So if we have the hash for ip addresses it will display the ip addresses in the log file followed the the frequency of that specific ip.
Assuming your md correctly returns an array of strings which is what you appear to be expecting, then try:
line_array = File.readlines("access_log")
line_array.each { |line| }
#regexp
md = (/^([:\d\.]+) .*\[.*\].*\"[A-Z]+ *(.+) HTTP\S*\s(\d+)/).match(line)
hash = Hash.new
hash[:ip] = md[1]
hash[:url] = md[2]
hash[:status] = md[3]
This will create a hash object with the three keys:
hash
=> { ip: 'whatever is in md[1]', url: 'whatever is in md[2]', status: 'whatever is in md[3]' }
Also just to highlight, by accessing md[1] you're accessing the second element of the array, if you want the first you need md[0]
SecondEdit: We have command line auditing enabled and the logs going to elasticsearch. Basically, I'll be doing this subst in logstash, or trying to. It's actually been almost nil but I'm trying to cover all the bases.
We are monitoring cmd line activity on hosts and while it's policy that you aren't supposed to enter your password in clear text on the cmd line, people will.
So I'm looking for a way to detect when someone enters their password and then subst out the password for hashes. The 1.1.1.8 is an example, it could be any ip address.
From this I want to detect if there is a password there
net use I: \1.1.1.8\E$ /user:domain\username password /persistent:yes
Look behind, almost seems to have it but I can't get it to stop after the space after username...
(?<=/user:)(.*)(?<=\s)
net use I: \1.1.1.8\E$ /user:domain\username password /persistent:yes
when I need it to get -
net use I: \1.1.1.8\E$ /user:domain\username password /persistent:yes
https://regexr.com/3i6va
... it would be something like this to gsub the password out and replace with ###
filter {
if [event_id] == 4688 {
mutate {
gsub => ["[event_data][CommandLine]", "(?<=\/user:)(.*)(?<=\s)",
"########" ]
}
}
}
So i map $http_cookie to check all cookies the client sends the only one i want to intercept to obtain the value of the cookie is any cookie with a MD5 HASH.
The regex to detect a MD5 hash is this
[0-9a-f]{32}
But when i add it to my map directive Nginx won't run because the regex is wrong.
This is my cookie map the issue with this is it gets all cookies i only want the ones with a MD5 sum.
map $http_cookie $session_id_value {
default '';
~^.*.+\=(?<session_value>[\w]+).*$ $session_value;
}
I try this
map $http_cookie $session_id_value {
default '';
~^.*[0-9a-f]{32}.+\=(?<session_value>[\w]+).*$ $session_value;
}
But Nginx does not like my regex. So it errors and won't run.
I test with the echo module to see the value of the cookie my regex has grabbed but currently it keeps grabbing the first random cookie not the one with a MD5 hash for a name.
echo "Session Cookie Value : $session_id_value";
echo "httpcookie : $http_cookie";
That is a syntax error. From the rewrite documentation:
If a regular expression includes the “}” or “;” characters, the whole
expressions should be enclosed in single or double quotes.
Try:
map $http_cookie $session_id_value {
default '';
"~^.*[0-9a-f]{32}.+\=(?<session_value>[\w]+).*$" $session_value;
}
I have just setup my first installation of OTRS and I was setting up my first filtering when I found a 'possible' bug:
When the regex matches a zero (as in '0') and I try to assign it to a DynamicField (type text) using '[***]' I get an empty value (maybe it believes it's NULL??)
The actual regex works:
Node users: (.*?)\,
And what I'm parsing on the body:If I have a '1' it works fine
"...3.250. Node users: 1, Backend use..."
log:
Filter: 'variable name 4' Set param 'X-OTRS-DynamicField-variable4' to '1'
If I have a '0' OTRS doesn't see a value
"...3.250. Node users: 0, Backend use..."
log:
Filter: 'variable name 4' Set param 'X-OTRS-DynamicField-variable4' to ''
Any ideas? I'm no perl expert, but it looks like it's both successfully matching and unsuccessfully inserting in DB.
Without seeing some code, I'm left with guessing. My guess would be there's some logic:
if ( $variable ) { # do something };
Which means when the variable is present, but 0 it's evaluating as false when it shouldn't be. This can be easily fixed by tracking down the offending line and changing it to:
if ( defined $variable ) { #do something };