Knowledge Base

Ask A Question

Questions

1

Python API Memory Error

I am trying to download a large report using the Nexpose Python API. However I get a memory error when running the script. Any Help would be great! Traceback (most recent call last): File "C:\Users\jstegman\AppData\Local\Programs\Python\Python36-32\ExtractDataFromNexpose.py", line 61, in <module> generate_report() File "C:\Users\jstegman\AppData\Local\Programs\Python\Python36-32\ExtractDataFromNexpose.py", line 42, in generate_report download_report(report_client, report_id, report_instance_id) File "C:\Users\jstegman\AppData\Local\Programs\Python\Python36-32\ExtractDataFromNexpose.py", line 55, in download_report client.download_report(report_id, instance_id) File "C:\Users\jstegman\AppData\Roaming\Python\Python36\site-packages\rapid7_vm_console-0.0.1_6.5.19-py3.6.egg\rapid7vmconsole\api\report_api.py", line 357, in download_report (data) = self.download_report_with_http_info(id, instance, **kwargs) # noqa: E501 File "C:\Users\jstegman\AppData\Roaming\Python\Python36\site-packages\rapid7_vm_console-0.0.1_6.5.19-py3.6.egg\rapid7vmconsole\api\report_api.py", line 442, in download_report_with_http_info collection_formats=collection_formats) File "C:\Users\jstegman\AppData\Roaming\Python\Python36\site-packages\rapid7_vm_console-0.0.1_6.5.19-py3.6.egg\rapid7vmconsole\api_client.py", line 322, in call_api _preload_content, _request_timeout) File "C:\Users\jstegman\AppData\Roaming\Python\Python36\site-packages\rapid7_vm_console-0.0.1_6.5.19-py3.6.egg\rapid7vmconsole\api_client.py", line 153, in __call_api _request_timeout=_request_timeout) File "C:\Users\jstegman\AppData\Roaming\Python\Python36\site-packages\rapid7_vm_console-0.0.1_6.5.19-py3.6.egg\rapid7vmconsole\api_client.py", line 343, in request headers=headers) File "C:\Users\jstegman\AppData\Roaming\Python\Python36\site-packages\rapid7_vm_console-0.0.1_6.5.19-py3.6.egg\rapid7vmconsole\rest.py", line 238, in GET query_params=query_params) File "C:\Users\jstegman\AppData\Roaming\Python\Python36\site-packages\rapid7_vm_console-0.0.1_6.5.19-py3.6.egg\rapid7vmconsole\rest.py", line 222, in request r.data = r.data.decode('utf8') MemoryError

Posted by Jonah Stegman 8 months ago

5

Recog signature best practice?

I'm working on signatures for pulling information from open redis services and testing the signatures via recog. https://github.com/rapid7/recog/ An open redis service provides a large volume of information for system architecture, os versions, cpu utilization, etc. I'm triggering an INFO command via ``` echo -e '*1\r\n$4\r\nINFO\r\n' | nc 127.0.0.1 6379 | ruby ./bin/recog_match ./xml/redis_info.xml - ``` with the redis_info.xml being the new signature file. My best practice question starts to come in when I look at signatures like operating_system.xml and architecture.xml. both of which have all of the necessary regex to pull information out of the redis service but are specified as database_type="util.os" where redis classifies as a service. ``` Current values are: - service: These fingerprints are intended to match banners or other responses from services. Fingerprint matches in 'service' database do not necessarily have to return 'service.' attributes in the match data. - util.os: These fingerprints are intended to be used to identify or extract OS related information from strings that are not responses to service probes. This may be used in a utility capacity and may provide for data enrichment via an independent call after a service banner match has already be made. ``` Is it generally better practice to duplicate fingerprint entries when they can be re-used or can generic regex like operating system string queries be shared as an external entity referenced in multiple signatures? If the external reference is even viable is it safe to assume that the util.os fingerprints would need to be replicated for service parsing? Or should I expect the util.os fingerprint to be applied without any additional modifications?

Posted by BrianWGray 9 months ago

0

Insight IDR and ESET Anti Virus

ESET is one of the listed AV options supported by InsightIDR, however no documentation on on configuration required is available in the setup guide. ESET Remote administrator has very few settings available when it comes to exporting data to syslog, and neither of them seems to generate any valid log data that Insight IDR is able to process. ESET Remote Administrator supports export to syslog in JSON and LEET formats, but neither of these are processed by Inight IDR. Has anyone been able to get ESET AV to report to InsightIDR? Example JSON format: ERAServer 4256 - - ...{"event_type":"Threat_Event","ipv4":"192.168.1.10","hostname":"laptop-test.domain.example","source_uuid":"5a5a8e83-47c6-4cc1-a291-350fc5cf3c43","occured":"23-May-2018 05:56:14","severity":"Warning","threat_type":"test file","threat_name":"Eicar","scanner_id":"HTTP filter","scan_id":"virlog.dat","engine_version":"17430 (20180523)","object_type":"file","object_uri":"http://www.eicar.org/download/eicar.com.txt","action_taken":"connection terminated","threat_handled":true,"need_restart":false,"username":"DOMAIN\\testuser","processname":"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe","circumstances":"Threat was detected upon access to web.","hash":"3395856CE81F2B7382DEE72602F798B642F14140"} Example LEET format: ERAServer 4256 - - ...LEEF:1.0|ESET|RemoteAdministrator|6.5.522.0|Web scanner terminated download of a virus|cat=ESET Threat Event sev=5 devTime=May 23 2018 05:57:30 devTimeFormat=MMM dd yyyy HH:mm:ss src=192.168.1.10 threatType=test file threatName=Eicar scannerID=HTTP filter scanID=virlog.dat engineVersion=17430 (20180523) objectType=file objectUri=http://www.eicar.org/download/eicar.com.txt actionTaken=connection terminated threatHandled=1 needRestart=0 accountName=DOMAIN\\testuser processName=C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe circumstances=Threat was detected upon access to web. hash=3395856CE81F2B7382DEE72602F798B642F14140

Posted by Thomas Nilsen 9 months ago