test issue

[happysaini]

link to Kibana logs&_a=(columns:!(message),filters:!(('$state':(store:appState),bool:(must:!((term:(log.file.path:%2Fvar%2Flog%2Fmessages)),(match:(message:oom-killer)))),meta:(alias:filter,disabled:!f,index:'filebeat-',key:bool,negate:!f,type:custom,value:'%7B%22must%22:%5B%7B%22term%22:%7B%22log.file.path%22:%22%2Fvar%2Flog%2Fmessages%22%7D%7D,%7B%22match%22:%7B%22message%22:%22oom-killer%22%7D%7D%5D%7D'))),index:'filebeat-',interval:auto,query:(language:kuery,query:''),sort:!(!('@timestamp',desc))))

[happysaini]

link to Kibana logs&_a=(columns:!(message),filters:!(('$state':(store:appState),bool:(must:!((term:(log.file.path:%2Fvar%2Flog%2Fmessages)),(match:(message:oom-killer)))),meta:(alias:filter,disabled:!f,index:'filebeat-',key:bool,negate:!f,type:custom,value:'%7B%22must%22:%5B%7B%22term%22:%7B%22log.file.path%22:%22%2Fvar%2Flog%2Fmessages%22%7D%7D,%7B%22match%22:%7B%22message%22:%22oom-killer%22%7D%7D%5D%7D'))),index:'filebeat-',interval:auto,query:(language:kuery,query:''),sort:!(!('@timestamp',desc))))

[happysaini]

Description

Incorrect error message is displayed in the OOB deployment logs for invalid API key |

Environment Detail

SMP IP: 10.6.111.9 Version smp-platform: 3.16.0-7202.50a7c109.ga Version smp-core: 4.24.0-3.a669fac4 ENDGAME-SENSOR : 3.53.9 User Details: admin/smp+3ndg@m3 Browser Details: All |

Preconditions
1 - SMP admin user should be logged in.

2 - Sensor profile should be created and the sensorinstaller.exe and the sensorconfig.cfg file should be placed on the endpoint for OOB deployment. |

Steps to Reproduce
1 - RDP to the endpoint.

2 - Run command prompt using admin privileges. 3 - Run the command:

.exe -c .cfg -k -d false -l ooblogs.log 4 - Open the ooblogs.log file. 5 - Observe that the error message is {"error":{"code":500,"message":"Bad status code"}} | | Test data | | --- | | - N/A | | Impacted Test case | | --- | | - https://testrail.eng.endgames.local/index.php?/cases/view/201037 | | Actual Result | | --- | | - Incorrect error message is displayed in the OOB deployment logs for invalid API key | | Expected Result | | --- | | - Correct error message "{"error":{"message":"API key was rejected","code":401}}" should be displayed displayed in the OOB deployment logs for invalid API key | | What's working | | --- | | - This issue is not occurring with 3.52.14 Sensor | | What's not working | | --- | | - N/A | | Screencasts & Screenshot | | --- | | N/A | | Logs | | --- | | - OOB deployment logs are attached for reference. |

[happysaini]

{panel:title=Description |borderStyle=solid|borderColor=#CCC|titleBGColor=#cccccc|bgColor=#F7F7F7} Incorrect error message is displayed in the OOB deployment logs for invalid API key {panel}

{panel:title=Environment Detail|borderStyle=solid|borderColor=#CCC|titleBGColor=#cccccc|bgColor=#F7F7F7} SMP IP: 10.6.111.9 Version smp-platform: 3.16.0-7202.50a7c109.ga Version smp-core: 4.24.0-3.a669fac4 ENDGAME-SENSOR : 3.53.9

User Details: admin/smp+3ndg@m3

Browser Details: All {panel} {panel:title=Preconditions |borderStyle=solid|borderColor=#CCC|titleBGColor=#cccccc|bgColor=#F7F7F7}

1. SMP admin user should be logged in.
2. Sensor profile should be created and the sensorinstaller.exe and the sensorconfig.cfg file should be placed on the endpoint for OOB deployment. {panel}

{panel:title=Steps to Reproduce|borderStyle=solid|borderColor=#CCC|titleBGColor=#cccccc|bgColor=#F7F7F7}

1. RDP to the endpoint.
2. Run command prompt using admin privileges.
3. Run the command: .exe -c .cfg -k -d false -l ooblogs.log
4. Open the ooblogs.log file.
   1. testing
      2. tested
5. Observe that the error message is {"error":{"code":500,"message":"Bad status code"}} {panel}

{panel:title=Test data|borderStyle=solid|borderColor=#CCC|titleBGColor=#cccccc|bgColor=#F7F7F7}

• N/A {panel}

{panel:title=Impacted Test case|borderStyle=solid|borderColor=#CCC|titleBGColor=#cccccc|bgColor=#F7F7F7}

• https://testrail.eng.endgames.local/index.php?/cases/view/201037 {panel}

{panel:title=Actual Result|borderStyle=solid|borderColor=#CCC|titleBGColor=#cccccc|bgColor=#F7F7F7}

• Incorrect error message is displayed in the OOB deployment logs for invalid API key {panel}

{panel:title=Expected Result|borderStyle=solid|borderColor=#CCC|titleBGColor=#cccccc|bgColor=#F7F7F7}

• Correct error message "{"error":{"message":"API key was rejected","code":401}}" should be displayed displayed in the OOB deployment logs for invalid API key {panel}

{panel:title=What's working |borderStyle=solid|borderColor=#CCC|titleBGColor=#cccccc|bgColor=#F7F7F7}

• This issue is not occurring with 3.52.14 Sensor {panel}

{panel:title=What's not working |borderStyle=solid|borderColor=#CCC|titleBGColor=#cccccc|bgColor=#F7F7F7}

• N/A {panel}

{panel:title=Screencasts & Screenshot |borderStyle=solid|borderColor=#CCC|titleBGColor=#cccccc|bgColor=#F7F7F7} N/A {panel}

{panel:title=Logs |borderStyle=solid|borderColor=#CCC|titleBGColor=#cccccc|bgColor=#F7F7F7}

• OOB deployment logs are attached for reference. {panel}

[happysaini]

Description

Incorrect error message is displayed in the OOB deployment logs for invalid API key |

Environment Detail

SMP IP: 10.6.111.9 Version smp-platform: 3.16.0-7202.50a7c109.ga Version smp-core: 4.24.0-3.a669fac4 ENDGAME-SENSOR : 3.53.9 User Details: admin/smp+3ndg@m3 Browser Details: All |

Preconditions
1 - SMP admin user should be logged in.

2 - Sensor profile should be created and the sensorinstaller.exe and the sensorconfig.cfg file should be placed on the endpoint for OOB deployment. |

Steps to Reproduce
1 - RDP to the endpoint.

2 - Run command prompt using admin privileges. 3 - Run the command:

.exe -c .cfg -k -d false -l ooblogs.log 4 - Open the ooblogs.log file.1 - testing 2 - tested 5 - Observe that the error message is {"error":{"code":500,"message":"Bad status code"}} | | Test data | | --- | | - N/A | | Impacted Test case | | --- | | - https://testrail.eng.endgames.local/index.php?/cases/view/201037 | | Actual Result | | --- | | - Incorrect error message is displayed in the OOB deployment logs for invalid API key | | Expected Result | | --- | | - Correct error message "{"error":{"message":"API key was rejected","code":401}}" should be displayed displayed in the OOB deployment logs for invalid API key | | What's working | | --- | | - This issue is not occurring with 3.52.14 Sensor | | What's not working | | --- | | - N/A | | Screencasts & Screenshot | | --- | | N/A | | Logs | | --- | | - OOB deployment logs are attached for reference. |

[happysaini]

This was found when we noticed two auth packets from the sensor.\u00a0 END-4280\u00a0 The first packet is eaten;\u00a0 the second is sent through and looks like\u00a0

\u00a0

---------------------------------------------------------------------------------------------------------
15:16:21.735947 [<< DATA] a6c68d52.540848b2 SESS:10.6.56.246:53904 IP:10.6.56.246 SZ: 994 ACK:1
{
    "data": {
        "sensor_version": "3.50.0-dev.20181106.105",
        "domain": "DESKTOP-QBBSCUT",
        "api_key": "5DE0B68B9B38101C2812",
        "is_host_isolated": false,
        "base_image": false,
        "os_version": {
            "os_minor": 0,
            "os_is_server": false,
            "os_major": 10,
            "os_build_number": 17134,
            "os_service_pack": ""
        },
        "service_name": "esensor",
        "hostname": "DESKTOP-QBBSCUT",
        "pid": 2612,
        "process_name": "esensor.exe",
        "ipv4_address": "10.6.56.246",
        "interface_name": "Ethernet0",
        "policy": {
            "task_id": "c228bd21-88ef-4c2d-8366-9a2c123a217b",
            "local_msg": "Success",
            "generation_number": 1541611048713101889,
            "policy_hash": "8f490e40ee217045879823462e7f255cee31f9be4fa552c90d1ce2f816189d09",
            "is_policy_applied": true,
            "local_code": 0
        },
        "mac_address": "00:50:56:b1:43:6e",
        "malware_feature_version": "3.0.0",
        "os_type": "windows",
        "machine_id": "f1d2013c-9979-14e5-0b4e-d5d481492723",
        "is_persistent": true,
        "have_state": true
    },
    "metadata": {
        "task_id": "b17f659a-491a-4460-ad04-53d49bfc1fa7",
        "priority": 0,
        "correlation_id": "49f745d9-cebd-4e8e-a103-8214389a389c",
        "key": "auth",
        "semantic_version": "3.50.0",
        "type": "auth",
        "message_id": "a9935fa4-746b-4cec-9580-5a7480ce9244",
        "origination_task_id": "abe242c6-580d-4bb2-b77a-8ef1aa4fb2c2",
        "collection_time": 1541776578.0132115
    }
}

\u00a0

The end result was that because the 'final' fields is falsey, the second auth packet got routed to fraggo.\u00a0 Evidence for this was in redis:

{'msg': \{'fragment': None, 'metadata': {'chunk_id': 0, 'message_id': '620eb056-4642-4bc3-b201-3042466ac66b', 'key': 'auth', 'final': False}}, 'slot_key': 'bfgfft4asqf23c34vp4g.1', 'slot_off': 1617439, 'meta': \{'sensor_id': '67689548-c886-536f-b4e2-36a2eb889cbd', 'account_id': 'f9e4afd3-0421-4506-b94c-2ac82c17b2a9', 'route': 'sensor.message', 'priority': 0, 'mode': 2, 'machine_id': '377ca05d-c924-527e-942a-08292e15e551'}, 'slot_sz': 1241}

\u00a0

\u00a0

[happysaini]

This was found when we noticed two auth packets from the sensor. END-4280 The first packet is eaten; the second is sent through and looks like

---------------------------------------------------------------------------------------------------------
15:16:21.735947 [<< DATA] a6c68d52.540848b2 SESS:10.6.56.246:53904 IP:10.6.56.246 SZ: 994 ACK:1
{
    "data": {
        "sensor_version": "3.50.0-dev.20181106.105",
        "domain": "DESKTOP-QBBSCUT",
        "api_key": "5DE0B68B9B38101C2812",
        "is_host_isolated": false,
        "base_image": false,
        "os_version": {
            "os_minor": 0,
            "os_is_server": false,
            "os_major": 10,
            "os_build_number": 17134,
            "os_service_pack": ""
        },
        "service_name": "esensor",
        "hostname": "DESKTOP-QBBSCUT",
        "pid": 2612,
        "process_name": "esensor.exe",
        "ipv4_address": "10.6.56.246",
        "interface_name": "Ethernet0",
        "policy": {
            "task_id": "c228bd21-88ef-4c2d-8366-9a2c123a217b",
            "local_msg": "Success",
            "generation_number": 1541611048713101889,
            "policy_hash": "8f490e40ee217045879823462e7f255cee31f9be4fa552c90d1ce2f816189d09",
            "is_policy_applied": true,
            "local_code": 0
        },
        "mac_address": "00:50:56:b1:43:6e",
        "malware_feature_version": "3.0.0",
        "os_type": "windows",
        "machine_id": "f1d2013c-9979-14e5-0b4e-d5d481492723",
        "is_persistent": true,
        "have_state": true
    },
    "metadata": {
        "task_id": "b17f659a-491a-4460-ad04-53d49bfc1fa7",
        "priority": 0,
        "correlation_id": "49f745d9-cebd-4e8e-a103-8214389a389c",
        "key": "auth",
        "semantic_version": "3.50.0",
        "type": "auth",
        "message_id": "a9935fa4-746b-4cec-9580-5a7480ce9244",
        "origination_task_id": "abe242c6-580d-4bb2-b77a-8ef1aa4fb2c2",
        "collection_time": 1541776578.0132115
    }
}

The end result was that because the 'final' fields is falsey, the second auth packet got routed to fraggo. Evidence for this was in redis:

{'msg': \{'fragment': None, 'metadata': {'chunk_id': 0, 'message_id': '620eb056-4642-4bc3-b201-3042466ac66b', 'key': 'auth', 'final': False}}, 'slot_key': 'bfgfft4asqf23c34vp4g.1', 'slot_off': 1617439, 'meta': \{'sensor_id': '67689548-c886-536f-b4e2-36a2eb889cbd', 'account_id': 'f9e4afd3-0421-4506-b94c-2ac82c17b2a9', 'route': 'sensor.message', 'priority': 0, 'mode': 2, 'machine_id': '377ca05d-c924-527e-942a-08292e15e551'}, 'slot_sz': 1241}

[happysaini]

This was found when we noticed two auth packets from the sensor. END-4280 The first packet is eaten; the second is sent through and looks like

---------------------------------------------------------------------------------------------------------
15:16:21.735947 [<< DATA] a6c68d52.540848b2 SESS:10.6.56.246:53904 IP:10.6.56.246 SZ: 994 ACK:1
{
    "data": {
        "sensor_version": "3.50.0-dev.20181106.105",
        "domain": "DESKTOP-QBBSCUT",
        "api_key": "5DE0B68B9B38101C2812",
        "is_host_isolated": false,
        "base_image": false,
        "os_version": {
            "os_minor": 0,
            "os_is_server": false,
            "os_major": 10,
            "os_build_number": 17134,
            "os_service_pack": ""
        },
        "service_name": "esensor",
        "hostname": "DESKTOP-QBBSCUT",
        "pid": 2612,
        "process_name": "esensor.exe",
        "ipv4_address": "10.6.56.246",
        "interface_name": "Ethernet0",
        "policy": {
            "task_id": "c228bd21-88ef-4c2d-8366-9a2c123a217b",
            "local_msg": "Success",
            "generation_number": 1541611048713101889,
            "policy_hash": "8f490e40ee217045879823462e7f255cee31f9be4fa552c90d1ce2f816189d09",
            "is_policy_applied": true,
            "local_code": 0
        },
        "mac_address": "00:50:56:b1:43:6e",
        "malware_feature_version": "3.0.0",
        "os_type": "windows",
        "machine_id": "f1d2013c-9979-14e5-0b4e-d5d481492723",
        "is_persistent": true,
        "have_state": true
    },
    "metadata": {
        "task_id": "b17f659a-491a-4460-ad04-53d49bfc1fa7",
        "priority": 0,
        "correlation_id": "49f745d9-cebd-4e8e-a103-8214389a389c",
        "key": "auth",
        "semantic_version": "3.50.0",
        "type": "auth",
        "message_id": "a9935fa4-746b-4cec-9580-5a7480ce9244",
        "origination_task_id": "abe242c6-580d-4bb2-b77a-8ef1aa4fb2c2",
        "collection_time": 1541776578.0132115
    }
}

The end result was that because the 'final' fields is falsey, the second auth packet got routed to fraggo. Evidence for this was in redis:

{'msg': \{'fragment': None, 'metadata': {'chunk_id': 0, 'message_id': '620eb056-4642-4bc3-b201-3042466ac66b', 'key': 'auth', 'final': False}}, 'slot_key': 'bfgfft4asqf23c34vp4g.1', 'slot_off': 1617439, 'meta': \{'sensor_id': '67689548-c886-536f-b4e2-36a2eb889cbd', 'account_id': 'f9e4afd3-0421-4506-b94c-2ac82c17b2a9', 'route': 'sensor.message', 'priority': 0, 'mode': 2, 'machine_id': '377ca05d-c924-527e-942a-08292e15e551'}, 'slot_sz': 1241}

[happysaini]

Description
Incorrect error message is displayed in the OOB deployment logs for invalid API key

Environment Detail
SMP IP: 10.6.111.9

Version smp-platform: 3.16.0-7202.50a7c109.ga Version smp-core: 4.24.0-3.a669fac4 ENDGAME-SENSOR : 3.53.9 User Details: admin/smp+3ndg@m3 Browser Details: All |

Preconditions
1 - SMP admin user should be logged in.

2 - Sensor profile should be created and the sensorinstaller.exe and the sensorconfig.cfg file should be placed on the endpoint for OOB deployment. |

Steps to Reproduce
1 - RDP to the endpoint.

2 - Run command prompt using admin privileges. 3 - Run the command:

.exe -c .cfg -k -d false -l ooblogs.log 4 - Open the ooblogs.log file.1 - testing 2 - tested 5 - Observe that the error message is {"error":{"code":500,"message":"Bad status code"}} | | Test data | | --- | | - N/A | | Impacted Test case | | --- | | - https://testrail.eng.endgames.local/index.php?/cases/view/201037 | | Actual Result | | --- | | - Incorrect error message is displayed in the OOB deployment logs for invalid API key | | Expected Result | | --- | | - Correct error message "{"error":{"message":"API key was rejected","code":401}}" should be displayed displayed in the OOB deployment logs for invalid API key | | What's working | | --- | | - This issue is not occurring with 3.52.14 Sensor | | What's not working | | --- | | - N/A | | Screencasts & Screenshot | | --- | | N/A | | Logs | | --- | | - OOB deployment logs are attached for reference. |

[happysaini]

Description
Incorrect error message is displayed in the OOB deployment logs for invalid API key

Environment Detail
SMP IP: 10.6.111.9

Version smp-platform: 3.16.0-7202.50a7c109.ga Version smp-core: 4.24.0-3.a669fac4 ENDGAME-SENSOR : 3.53.9 User Details: admin/smp+3ndg@m3 Browser Details: All |

Preconditions
1 - SMP admin user should be logged in.
2 - Sensor profile should be created and the sensorinstaller.exe and the sensorconfig.cfg file should be placed on the endpoint for OOB deployment.

Steps to Reproduce
1 - RDP to the endpoint.

2 - Run command prompt using admin privileges. 3 - Run the command:

.exe -c .cfg -k -d false -l ooblogs.log 4 - Open the ooblogs.log file.1 - testing 2 - tested 5 - Observe that the error message is {"error":{"code":500,"message":"Bad status code"}} | | Test data | | --- | | - N/A | | Impacted Test case | | --- | | - https://testrail.eng.endgames.local/index.php?/cases/view/201037 | | Actual Result | | --- | | - Incorrect error message is displayed in the OOB deployment logs for invalid API key | | Expected Result | | --- | | - Correct error message "{"error":{"message":"API key was rejected","code":401}}" should be displayed displayed in the OOB deployment logs for invalid API key | | What's working | | --- | | - This issue is not occurring with 3.52.14 Sensor | | What's not working | | --- | | - N/A | | Screencasts & Screenshot | | --- | | N/A | | Logs | | --- | | - OOB deployment logs are attached for reference. |