search

JPCERTCC / LogonTracer

Investigate malicious Windows logon by visualizing and analyzing Windows event log
Other
2.7k stars 441 forks source link

Inaccurate parsing percentage displayed in GUI #115

Closed rj-chap closed 2 years ago

rj-chap commented 2 years ago

Hey team. I uploaded 7 EVTX files that are processing now. The upload dialogue is showing some wonky parsing percentages though (e.g. 7134%:

image

I didn't see this listed as an issue previously, so I figured I'd bring it up. I'm running your primary docker container under macOS:

docker image

jpcertcc/docker-logontracer   latest    845817a5c504   4 months ago   1.29GB

docker details

Client:
 Cloud integration: 1.0.17
 Version:           20.10.8
 API version:       1.41
 Go version:        go1.16.6
 Git commit:        3967b7d
 Built:             Fri Jul 30 19:55:20 2021
 OS/Arch:           darwin/amd64
 Context:           default
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.8
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.16.6
  Git commit:       75249d8
  Built:            Fri Jul 30 19:52:31 2021
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.4.9
  GitCommit:        e25210fe30a0a703442421b0f60afac609f950a3
 runc:
  Version:          1.0.1
  GitCommit:        v1.0.1-0-g4144b63
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

LTHOSTNAME
192.168.50.196

PATH
/usr/local/bin:/var/lib/neo4j/bin:/usr/local/openjdk-11/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

JAVA_HOME
/usr/local/openjdk-11

LANG
C.UTF-8

JAVA_VERSION
11.0.11+9

NEO4J_SHA256
b26217ae08ae93d8ae8d83d3da2db082bdcc67b3005309f562edfeffff8dad8c

NEO4J_TARBALL
neo4j-community-4.2.6-unix.tar.gz

NEO4J_EDITION
community

NEO4J_HOME
/var/lib/neo4j

PYTHON_VERSION
3.7.8

PYTHON_PIP_VERSION
20.1.1

PYTHON_GET_PIP_URL
https://github.com/pypa/get-pip/raw/eff16c878c7fd6b688b9b4c4267695cf1a0bf01b/get-pip.py

PYTHON_GET_PIP_SHA256
b3153ec0cf7b7bbf9556932aa37e4981c35dc2a2c501d70d91d2795aa532be79

Mounts
/LOGS
/var/lib/docker/volumes/983bec8c9bd84350cdb4d5379451b2fd6c5d2281fea7d6548d2b3f63daec1d72/_data

/DATA
/var/lib/docker/volumes/7bc3d72dd4053c22b80620285e5fdf8b0c7c4a41ff4847ac389d2146c960ec41/_data

Ports
7473/tcp
Not bound
7474/tcp
0.0.0.0:7474

7687/tcp
0.0.0.0:7687

8080/tcp
0.0.0.0:8080

I can provide a docker inspect or whatever else you'd like, but I cannot provide the actual EVTX files for obvious reasons.

rj-chap commented 2 years ago

I figured I'd include what's at the log endpoint

[+] Script start. 2021/10/06 16:10:05 [+] Neo4j Kernel version: 4.2.6 [+] Delete all nodes and relationships from this Neo4j database. [+] make cache folder /usr/local/src/LogonTracer/cache. [+] Last record number is 2369. [+] Start parsing the EVTX file. [+] Parse the EVTX file /usr/local/src/LogonTracer/upload/0.evtx. [+] Now loading 100 records. [+] Now loading 200 records. [+] Now loading 300 records. [+] Now loading 400 records. [+] Now loading 500 records. ... [+] Now loading 185000 records. [+] Now loading 185100 records. [+] Now loading 185200 records. [+] Now loading 185300 records. [+] Now loading 185400 records. [+] Now loading 185500 records. [+] Now loading 185600 records. [+] Now loading 185700 records.

...Still procesing...

shu-tom commented 2 years ago

I found a bug with a parsing status above 100% and will fix it.

rj-chap commented 2 years ago

I found a bug with a parsing status above 100% and will fix it.

Awesome! Thanks much!

shu-tom commented 2 years ago

I fixed the status bar issue. If the EVTX file doesn't finish loading, it may be a machine performance issue. It's note that Docker on mscOS has low performance, so if the EVTX file size is too large, it may not finish loading.

rj-chap commented 2 years ago

Awesome! I'll be able to test this later this week. Not sure if you want to go ahead and close now or close after verification with the new version. Either way for me, thanks!