Closed scaery closed 5 years ago
snovvcrash
commented
5 years ago From v2.1.4 usbrip would work with a bit modified structure of syslog's to support rich timestamps. This feature has been waiting in the TODO list for a long time already xD
scaery
commented
5 years ago Hey cool thingy...
The timestamps from Kali Linux / Debian syslog seem to be a bit different. Would be nice to match...
Error:
_ {{4}} {v2.1.4-1}
_ _ ___| |_ ___[3]___
| | |_ -| . | _[N] . |
|___|___|___|_| [S] _|
x[!]_| https://github.com/snovvcrash/usbrip
[*] Started at 2019-08-11 12:34:47
[12:34:47] [INFO] Searching for log files: "/var/log/syslog*" or "/var/log/messages*"
[12:34:47] [INFO] Reading "/var/log/syslog"
Traceback (most recent call last):
File "/usr/local/bin/usbrip", line 11, in <module>
load_entry_point('usbrip==2.1.4.post1', 'console_scripts', 'usbrip')()
File "/usr/local/src/pentest-forensics/usbrip/usbrip/__main__.py", line 87, in main
ueh = USBEvents(args.file)
File "/usr/local/src/pentest-forensics/usbrip/usbrip/lib/core/usbevents.py", line 86, in __new__
filtered_history = _get_filtered_history()
File "/usr/local/src/pentest-forensics/usbrip/usbrip/lib/core/usbevents.py", line 273, in _get_filtered_history
filtered_history.extend(_read_log_file(syslog))
File "/usr/local/src/pentest-forensics/usbrip/usbrip/lib/core/usbevents.py", line 317, in _read_log_file
date = datetime.strptime(line[:32], '%Y-%m-%dT%H:%M:%S.%f%z') # ex. 2019-08-09T06:15:49.655261-04:00
File "/usr/lib/python3.7/_strptime.py", line 577, in _strptime_datetime
tt, fraction, gmtoff_fraction = _strptime(data_string, format)
File "/usr/lib/python3.7/_strptime.py", line 359, in _strptime
(data_string, format))
ValueError: time data 'Jul 18 12:00:39 box kernel: [ 50' does not match format '%Y-%m-%dT%H:%M:%S.%f%z'
[*] Shutted down at 2019-08-11 12:34:47
[*] Time taken: 0:00:00.030047Especially this line concerns:
ValueError: time data 'Jul 18 12:00:39 box kernel: [ 50' does not match format '%Y-%m-%dT%H:%M:%S.%f%z'and here my syslog data:
egrep "Jul 18 12:00:39 box kernel" /var/log/syslog*
/var/log/syslog:Jul 18 12:00:39 box kernel: [ 5030.461995] usb 1-2: USB disconnect, device number 2
/var/log/syslog:Jul 18 12:00:39 box kernel: [ 5030.462003] usb 1-2.1: USB disconnect, device number 4
/var/log/syslog:Jul 18 12:00:39 box kernel: [ 5030.512783] usb 1-2.4: USB disconnect, device number 6
/var/log/syslog:Jul 18 12:00:39 box kernel: [ 5030.512794] usb 1-2.4.1: USB disconnect, device number 7I do not want to update my RSYSLOG_FileFormat, just using what is default.
snovvcrash
commented
5 years ago That's the point here. The standard syslog (rsyslog) structure would no longer be supported. The Jul 18 12:00:39 timestamp doesn't provide the year info as you can see. You should configure the rsyslog daemon first (which is preinstalled on Kali, btw) and run the tool afterwards.
scaery
commented
5 years ago Okay, many thanks. Adapted your changes to 2.1.4-1
echo "\$ActionFileDefaultTemplate RSYSLOG_FileFormat" > /etc/rsyslog.d/custom.conf
systemctl restart rsyslog.serviceLet`s see some USB plugs later.
usbrip events history
_ {{4}} {v2.1.4-1}
_ _ ___| |_ ___[3]___
| | |_ -| . | _[N] . |
|___|___|___|_| [S] _|
x[1]_| https://github.com/snovvcrash/usbrip
[*] Started at 2019-08-11 13:17:26
[13:17:26] [INFO] Searching for log files: "/var/log/syslog*" or "/var/log/messages*"
[13:17:26] [INFO] Reading "/var/log/syslog"
[13:17:26] [INFO] Filtering events
[?] How would you like your event history list to be generated?
1. Terminal stdout
2. JSON-file
[>] Please enter the number of your choice (default is 1): 1
[13:17:28] [INFO] Preparing gathered events
[13:17:28] [INFO] Representation: Table
┌USB-History-Events───┬──────┬──────┬──────┬───────────────┬──────────────┬───────────────┬──────┬─────────────────────┐
│ Connected │ User │ VID │ PID │ Product │ Manufacturer │ Serial Number │ Port │ Disconnected │
├─────────────────────┼──────┼──────┼──────┼───────────────┼──────────────┼───────────────┼──────┼─────────────────────┤
│ 2019-08-11 •••••••• │ −−−− │ −−−− │ −−−− │ −−−−−−−−−−−−− │ −−−−−−−−−−−− │ −−−−−−−−−−−−− │ −−−− │ −−−−−−−−−−−−−−−−−−− │
│ 2019-08-11 13:17:25 │ box │ 0ccd │ 00d3 │ RTL2838UHIDIR │ Realtek │ 00000001 │ 1-2 │ ∅ │
└─────────────────────┴──────┴──────┴──────┴───────────────┴──────────────┴───────────────┴──────┴─────────────────────┘
[*] Shutted down at 2019-08-11 13:17:28
[*] Time taken: 0:00:02.016696Super cool! Works like a charm xD
The usb history counts on syslog events and does not care about the years...
Would be a "nice 2 have" feature!