Open happysaini opened 4 years ago
link to Kibana logs&_a=(columns:!(message),filters:!(('$state':(store:appState),bool:(must:!((term:(log.file.path:%2Fvar%2Flog%2Fmessages)),(match:(message:oom-killer)))),meta:(alias:filter,disabled:!f,index:'filebeat-',key:bool,negate:!f,type:custom,value:'%7B%22must%22:%5B%7B%22term%22:%7B%22log.file.path%22:%22%2Fvar%2Flog%2Fmessages%22%7D%7D,%7B%22match%22:%7B%22message%22:%22oom-killer%22%7D%7D%5D%7D'))),index:'filebeat-',interval:auto,query:(language:kuery,query:''),sort:!(!('@timestamp',desc))))
Description |
---|
Incorrect error message is displayed in the OOB deployment logs for invalid API key |
Environment Detail |
---|
SMP IP: 10.6.111.9 Version smp-platform: 3.16.0-7202.50a7c109.ga Version smp-core: 4.24.0-3.a669fac4 ENDGAME-SENSOR : 3.53.9 User Details: admin/smp+3ndg@m3 Browser Details: All |
Preconditions |
---|
1 - SMP admin user should be logged in. |
2 - Sensor profile should be created and the sensorinstaller.exe and the sensorconfig.cfg file should be placed on the endpoint for OOB deployment. |
Steps to Reproduce |
---|
1 - RDP to the endpoint. |
2 - Run command prompt using admin privileges. 3 - Run the command:
{panel:title=Description |borderStyle=solid|borderColor=#CCC|titleBGColor=#cccccc|bgColor=#F7F7F7} Incorrect error message is displayed in the OOB deployment logs for invalid API key {panel}
{panel:title=Environment Detail|borderStyle=solid|borderColor=#CCC|titleBGColor=#cccccc|bgColor=#F7F7F7} SMP IP: 10.6.111.9 Version smp-platform: 3.16.0-7202.50a7c109.ga Version smp-core: 4.24.0-3.a669fac4 ENDGAME-SENSOR : 3.53.9
User Details: admin/smp+3ndg@m3
Browser Details: All {panel} {panel:title=Preconditions |borderStyle=solid|borderColor=#CCC|titleBGColor=#cccccc|bgColor=#F7F7F7}
{panel:title=Steps to Reproduce|borderStyle=solid|borderColor=#CCC|titleBGColor=#cccccc|bgColor=#F7F7F7}
{panel:title=Test data|borderStyle=solid|borderColor=#CCC|titleBGColor=#cccccc|bgColor=#F7F7F7}
{panel:title=Impacted Test case|borderStyle=solid|borderColor=#CCC|titleBGColor=#cccccc|bgColor=#F7F7F7}
{panel:title=Actual Result|borderStyle=solid|borderColor=#CCC|titleBGColor=#cccccc|bgColor=#F7F7F7}
{panel:title=Expected Result|borderStyle=solid|borderColor=#CCC|titleBGColor=#cccccc|bgColor=#F7F7F7}
{panel:title=What's working |borderStyle=solid|borderColor=#CCC|titleBGColor=#cccccc|bgColor=#F7F7F7}
{panel:title=What's not working |borderStyle=solid|borderColor=#CCC|titleBGColor=#cccccc|bgColor=#F7F7F7}
{panel:title=Screencasts & Screenshot |borderStyle=solid|borderColor=#CCC|titleBGColor=#cccccc|bgColor=#F7F7F7} N/A {panel}
{panel:title=Logs |borderStyle=solid|borderColor=#CCC|titleBGColor=#cccccc|bgColor=#F7F7F7}
Description |
---|
Incorrect error message is displayed in the OOB deployment logs for invalid API key |
Environment Detail |
---|
SMP IP: 10.6.111.9 Version smp-platform: 3.16.0-7202.50a7c109.ga Version smp-core: 4.24.0-3.a669fac4 ENDGAME-SENSOR : 3.53.9 User Details: admin/smp+3ndg@m3 Browser Details: All |
Preconditions |
---|
1 - SMP admin user should be logged in. |
2 - Sensor profile should be created and the sensorinstaller.exe and the sensorconfig.cfg file should be placed on the endpoint for OOB deployment. |
Steps to Reproduce |
---|
1 - RDP to the endpoint. |
2 - Run command prompt using admin privileges. 3 - Run the command:
This was found when we noticed two auth packets from the sensor.\u00a0 END-4280\u00a0 The first packet is eaten;\u00a0 the second is sent through and looks like\u00a0
\u00a0
---------------------------------------------------------------------------------------------------------
15:16:21.735947 [<< DATA] a6c68d52.540848b2 SESS:10.6.56.246:53904 IP:10.6.56.246 SZ: 994 ACK:1
{
"data": {
"sensor_version": "3.50.0-dev.20181106.105",
"domain": "DESKTOP-QBBSCUT",
"api_key": "5DE0B68B9B38101C2812",
"is_host_isolated": false,
"base_image": false,
"os_version": {
"os_minor": 0,
"os_is_server": false,
"os_major": 10,
"os_build_number": 17134,
"os_service_pack": ""
},
"service_name": "esensor",
"hostname": "DESKTOP-QBBSCUT",
"pid": 2612,
"process_name": "esensor.exe",
"ipv4_address": "10.6.56.246",
"interface_name": "Ethernet0",
"policy": {
"task_id": "c228bd21-88ef-4c2d-8366-9a2c123a217b",
"local_msg": "Success",
"generation_number": 1541611048713101889,
"policy_hash": "8f490e40ee217045879823462e7f255cee31f9be4fa552c90d1ce2f816189d09",
"is_policy_applied": true,
"local_code": 0
},
"mac_address": "00:50:56:b1:43:6e",
"malware_feature_version": "3.0.0",
"os_type": "windows",
"machine_id": "f1d2013c-9979-14e5-0b4e-d5d481492723",
"is_persistent": true,
"have_state": true
},
"metadata": {
"task_id": "b17f659a-491a-4460-ad04-53d49bfc1fa7",
"priority": 0,
"correlation_id": "49f745d9-cebd-4e8e-a103-8214389a389c",
"key": "auth",
"semantic_version": "3.50.0",
"type": "auth",
"message_id": "a9935fa4-746b-4cec-9580-5a7480ce9244",
"origination_task_id": "abe242c6-580d-4bb2-b77a-8ef1aa4fb2c2",
"collection_time": 1541776578.0132115
}
}
\u00a0
The end result was that because the 'final' fields is falsey, the second auth packet got routed to fraggo.\u00a0 Evidence for this was in redis:
{'msg': \{'fragment': None, 'metadata': {'chunk_id': 0, 'message_id': '620eb056-4642-4bc3-b201-3042466ac66b', 'key': 'auth', 'final': False}}, 'slot_key': 'bfgfft4asqf23c34vp4g.1', 'slot_off': 1617439, 'meta': \{'sensor_id': '67689548-c886-536f-b4e2-36a2eb889cbd', 'account_id': 'f9e4afd3-0421-4506-b94c-2ac82c17b2a9', 'route': 'sensor.message', 'priority': 0, 'mode': 2, 'machine_id': '377ca05d-c924-527e-942a-08292e15e551'}, 'slot_sz': 1241}
\u00a0
\u00a0
This was found when we noticed two auth packets from the sensor. END-4280 The first packet is eaten; the second is sent through and looks like
---------------------------------------------------------------------------------------------------------
15:16:21.735947 [<< DATA] a6c68d52.540848b2 SESS:10.6.56.246:53904 IP:10.6.56.246 SZ: 994 ACK:1
{
"data": {
"sensor_version": "3.50.0-dev.20181106.105",
"domain": "DESKTOP-QBBSCUT",
"api_key": "5DE0B68B9B38101C2812",
"is_host_isolated": false,
"base_image": false,
"os_version": {
"os_minor": 0,
"os_is_server": false,
"os_major": 10,
"os_build_number": 17134,
"os_service_pack": ""
},
"service_name": "esensor",
"hostname": "DESKTOP-QBBSCUT",
"pid": 2612,
"process_name": "esensor.exe",
"ipv4_address": "10.6.56.246",
"interface_name": "Ethernet0",
"policy": {
"task_id": "c228bd21-88ef-4c2d-8366-9a2c123a217b",
"local_msg": "Success",
"generation_number": 1541611048713101889,
"policy_hash": "8f490e40ee217045879823462e7f255cee31f9be4fa552c90d1ce2f816189d09",
"is_policy_applied": true,
"local_code": 0
},
"mac_address": "00:50:56:b1:43:6e",
"malware_feature_version": "3.0.0",
"os_type": "windows",
"machine_id": "f1d2013c-9979-14e5-0b4e-d5d481492723",
"is_persistent": true,
"have_state": true
},
"metadata": {
"task_id": "b17f659a-491a-4460-ad04-53d49bfc1fa7",
"priority": 0,
"correlation_id": "49f745d9-cebd-4e8e-a103-8214389a389c",
"key": "auth",
"semantic_version": "3.50.0",
"type": "auth",
"message_id": "a9935fa4-746b-4cec-9580-5a7480ce9244",
"origination_task_id": "abe242c6-580d-4bb2-b77a-8ef1aa4fb2c2",
"collection_time": 1541776578.0132115
}
}
The end result was that because the 'final' fields is falsey, the second auth packet got routed to fraggo. Evidence for this was in redis:
{'msg': \{'fragment': None, 'metadata': {'chunk_id': 0, 'message_id': '620eb056-4642-4bc3-b201-3042466ac66b', 'key': 'auth', 'final': False}}, 'slot_key': 'bfgfft4asqf23c34vp4g.1', 'slot_off': 1617439, 'meta': \{'sensor_id': '67689548-c886-536f-b4e2-36a2eb889cbd', 'account_id': 'f9e4afd3-0421-4506-b94c-2ac82c17b2a9', 'route': 'sensor.message', 'priority': 0, 'mode': 2, 'machine_id': '377ca05d-c924-527e-942a-08292e15e551'}, 'slot_sz': 1241}
This was found when we noticed two auth packets from the sensor. END-4280 The first packet is eaten; the second is sent through and looks like
---------------------------------------------------------------------------------------------------------
15:16:21.735947 [<< DATA] a6c68d52.540848b2 SESS:10.6.56.246:53904 IP:10.6.56.246 SZ: 994 ACK:1
{
"data": {
"sensor_version": "3.50.0-dev.20181106.105",
"domain": "DESKTOP-QBBSCUT",
"api_key": "5DE0B68B9B38101C2812",
"is_host_isolated": false,
"base_image": false,
"os_version": {
"os_minor": 0,
"os_is_server": false,
"os_major": 10,
"os_build_number": 17134,
"os_service_pack": ""
},
"service_name": "esensor",
"hostname": "DESKTOP-QBBSCUT",
"pid": 2612,
"process_name": "esensor.exe",
"ipv4_address": "10.6.56.246",
"interface_name": "Ethernet0",
"policy": {
"task_id": "c228bd21-88ef-4c2d-8366-9a2c123a217b",
"local_msg": "Success",
"generation_number": 1541611048713101889,
"policy_hash": "8f490e40ee217045879823462e7f255cee31f9be4fa552c90d1ce2f816189d09",
"is_policy_applied": true,
"local_code": 0
},
"mac_address": "00:50:56:b1:43:6e",
"malware_feature_version": "3.0.0",
"os_type": "windows",
"machine_id": "f1d2013c-9979-14e5-0b4e-d5d481492723",
"is_persistent": true,
"have_state": true
},
"metadata": {
"task_id": "b17f659a-491a-4460-ad04-53d49bfc1fa7",
"priority": 0,
"correlation_id": "49f745d9-cebd-4e8e-a103-8214389a389c",
"key": "auth",
"semantic_version": "3.50.0",
"type": "auth",
"message_id": "a9935fa4-746b-4cec-9580-5a7480ce9244",
"origination_task_id": "abe242c6-580d-4bb2-b77a-8ef1aa4fb2c2",
"collection_time": 1541776578.0132115
}
}
The end result was that because the 'final' fields is falsey, the second auth packet got routed to fraggo. Evidence for this was in redis:
{'msg': \{'fragment': None, 'metadata': {'chunk_id': 0, 'message_id': '620eb056-4642-4bc3-b201-3042466ac66b', 'key': 'auth', 'final': False}}, 'slot_key': 'bfgfft4asqf23c34vp4g.1', 'slot_off': 1617439, 'meta': \{'sensor_id': '67689548-c886-536f-b4e2-36a2eb889cbd', 'account_id': 'f9e4afd3-0421-4506-b94c-2ac82c17b2a9', 'route': 'sensor.message', 'priority': 0, 'mode': 2, 'machine_id': '377ca05d-c924-527e-942a-08292e15e551'}, 'slot_sz': 1241}
Description |
---|
Incorrect error message is displayed in the OOB deployment logs for invalid API key |
Environment Detail |
---|
SMP IP: 10.6.111.9 |
Version smp-platform: 3.16.0-7202.50a7c109.ga Version smp-core: 4.24.0-3.a669fac4 ENDGAME-SENSOR : 3.53.9 User Details: admin/smp+3ndg@m3 Browser Details: All |
Preconditions |
---|
1 - SMP admin user should be logged in. |
2 - Sensor profile should be created and the sensorinstaller.exe and the sensorconfig.cfg file should be placed on the endpoint for OOB deployment. |
Steps to Reproduce |
---|
1 - RDP to the endpoint. |
2 - Run command prompt using admin privileges. 3 - Run the command:
Description |
---|
Incorrect error message is displayed in the OOB deployment logs for invalid API key |
Environment Detail |
---|
SMP IP: 10.6.111.9 |
Version smp-platform: 3.16.0-7202.50a7c109.ga Version smp-core: 4.24.0-3.a669fac4 ENDGAME-SENSOR : 3.53.9 User Details: admin/smp+3ndg@m3 Browser Details: All |
Preconditions |
---|
1 - SMP admin user should be logged in. |
2 - Sensor profile should be created and the sensorinstaller.exe and the sensorconfig.cfg file should be placed on the endpoint for OOB deployment. |
Steps to Reproduce |
---|
1 - RDP to the endpoint. |
2 - Run command prompt using admin privileges. 3 - Run the command:
link to Kibana logs&_a=(columns:!(message),filters:!(('$state':(store:appState),bool:(must:!((term:(log.file.path:%2Fvar%2Flog%2Fmessages)),(match:(message:oom-killer)))),meta:(alias:filter,disabled:!f,index:'filebeat-',key:bool,negate:!f,type:custom,value:'%7B%22must%22:%5B%7B%22term%22:%7B%22log.file.path%22:%22%2Fvar%2Flog%2Fmessages%22%7D%7D,%7B%22match%22:%7B%22message%22:%22oom-killer%22%7D%7D%5D%7D'))),index:'filebeat-',interval:auto,query:(language:kuery,query:''),sort:!(!('@timestamp',desc))))