Friday, July 27, 2018

Splunk - Tips & trix

Search macro

In a query you often tend do refer to indexes like this "index=main sourcetype=syslog" and then you build this into a dashboard. When your creations grow and you need to change to another index this will be many places to edit your code.

Instead go to Settings > Advanced search > Search macro - edit/create your macro, place your index code there "index=main".

Now in your querys in any code refer to this macro instead like this:
`my_macro` sourcetype=syslog
Whenever you need to change index or add more index you only have this one place to edit the macro.
Posted by at No comments:
Labels:

Blue Coat Proxy SG shortcuts


Under 'Statistics - Advanced' you'll find more then you need, here are a short sumary.

sysinfo & sysinfo-stat
https://proxy:8082/Diagnostics/Snapshot

# Sysinfo
https://proxy:8082/sysinfo

# Core Images
https://proxy:8082/CM/core_images

# Access Logs
https://proxy:8082/Accesslog/directory
Posted by at No comments:
Labels:

Check Point Cli Commands

Cli commands

Some good cli commands that are useful, I always forget the syntax so it's good to have them in one place.
 
### Cluster XL Debug
# Expert
clish -c "show routed cluster-state detailed"

# clish
show routed cluster-state detailed

##### VPN
### VPN encryption domain overlap
vpn overlap_encdom > temp.txt

### list tunnels
vpn tu tlist -p peer_ip

##### FW
### proxy arp and active local.arp
fw ctl arp -n

### CCC (good script (dangerous))
curl_cli http://dannyjung.de/ccc | zcat > /usr/bin/ccc && chmod +x /usr/bin/ccc
Posted by at No comments:
Labels:

Wednesday, May 17, 2017

I WannaCry - Don't get ransomware

Backup process to avoid Ransomware.

This process will off course not protect me from getting my disk encrypted, but at least it will prevent my backups from also getting encrypted. I fear many people at home or at work don't have a good process to verify their data status and backup as well. 

How do I know If I got a ransomware on my NAS?
How do I prevent my backup from running if I got a ransomware?

For me I found myself a handy solution, my NAS rarely change a lot of files, most of them are static so a script that will check the number of changed files during the last 24h is sufficient.

The script will update Domoticz via json and set a Dummy Switch to 'Off' if there are too many files and also set a Dummy Alert with log. The Dummy Switch has a notification that will send me an email about the situation. The script will then bail out and no rsync between primary and secondary disk will occur.

The next day when the script starts again, by crontab, it will first check the status from Domoticz for the Dummy Switch, if that still is set to 'Off' no backup will occur and a new Log entry will be set for the utility Dummy Alert.

I then need to manually verify why I got more changed files than I expected on my NAS and then set my Dummy switch 'NAS_Backup_Script' to 'On' again.

Additional security to this script is to have a honeypot folder with documents of type that most ransomware will attack, and monitor any change in there, this method is a very good indication that you have some kind of intrusion in your network.

Other solutions could be if you got version based incremental backups to monitor the growth of the backup and have limits with alerts.


Find my process, and scripts at my GitHub

Posted by at No comments:

Thursday, March 16, 2017

Check for malicious sites

Here is a good start by a collection with tools.

https://zeltser.com/lookup-malicious-websites/

Posted by at No comments:
Labels:

Sunday, February 26, 2017

Check Point Endpoint protection - SandBlast Agent

Check out the new features from Check Point with their new SandBlast Agent.

https://youtu.be/rXwCqrDcZJ4

https://www.checkpoint.com/products/endpoint-sandblast-agent/

Also take notice of that with the new firmware for the SMB series SandBlast is also available even on all embedded devices from the 700 to 1400 series.

Posted by at No comments:
Labels:

Wednesday, April 6, 2016

IA (Identity Awareness) can be a pain, here are some short notes that helps in the troubleshoting. Check the smartlog that there is full access between the AD DC and the FW Gateway as the DCE-RPC uses dynamic high ports to communicate.

## Debug PFP on
pdp d s all all

## Debug PDP Off
pdp debug off

# Check logfile
tail -f /$FWDIR/log/pdpd.elg

# Check if PDPD is running
ps aux -| grep pdpd

# Try to restart it by killing, it will autorestart
killall pdpd

# Verify connectivity to AD (LDAP and WMI) that runs over DCE-RPC. 
Solution Title: How to use test_ad_connectivity to troubleshoot AD Query connectivity.
Solution ID: sk100406
Solution Link: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk100406

# Check pdp
pdp connections pep

# check pep
pep s pdp a

# View and control the AD Query (ADQ) status.
adlog a dc - Displays a table specifying which Domain Controllers this Security Gateway is connected to, their connectivity status and the number of events fetched in the last hour

adlog a query all - (or 'adlog a q a' for short) - Displays all of the identity information currently known by AD Query (ADQ)
If this shows error kill the pdpd and verify that it restarts. see above

adlog a query ip 1.1.1.1 - (or 'adlog a q i 1.1.1.1' for short) - Displays the information currently known for 1.1.1.1





Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)