I'm trying to get Microsoft's Windows Filtering Platform stmedit sample to work and am running into some difficulties.
When I turn on the InspectOutbound flag in the registry, set EditInline to 1, set InspectionPort to 80, set StringToFind to A and StringToReplace to B, and use a proxy, going to www.A.com redirects to www.B.com as expected since the destination is moved to part of the payload.
When I turn off the InspectOutbound flag in the registry (in order to inspect inbound packets), still using EditInline, still InspectionPort=80, accessing a simple http://www.somewebsite.com/somepage.html page I see that no functions from the driver source code have been called. I can see on WireShark that packets are in fact going through port 80 as expected.
I added a DbgPrint() call to every function in the source code to see the basic code flow without having to use the debugger for everything, although I do have it working and haven't been able to find the issue here.
Any help would be really appreciated.
Related
I have a something that is sending an SNMP set command to my server. I can see the packet in wireshark, and I know that I'm getting the packet. Once I get this packet I need to decode it and do an operation (using a script). I can't believe I am the first person that needs to do this, but have googled for hours and found no one else in this use case. I've seen utilities that allow me to use a get snmp, but as the set doesn't actually set anything on my server, there is no way to get it. It doesn't seem traps are helpful as that seems to find the message, as its not labeled a trap. Is there a way to convert the set to a trap once my server gets it, or is there a better method. My server is windows, but if I have to create a linux VM to make this easier I'm all ears. As of now I'm thinking powershell, but if there is an easy way in go, c#, etc I would totally do it.
I am attempting to get a SNMP SET to and use that as a trigger for running a script.
You are 100% correct in that you are not the first person to ask this question. The answer depends on which SNMP agent you have deployed. Many people have had success with Net SNMP and if you want to invoke a shell script from the SNMP agent, see this tutorial. Good luck with your project.
I ended up using pythons pysnmp to build an agent that would recieve the set/get requests. I had to compile my own MIBs for the PDU I was emulating, but got the job done. I also looked into Net SNMP, but I'm more familiar with python and found many helpful examples and good documentation.
I would like to flatten my use case, but at the moment I have two scripts, one that is the agent using pysnmp and one that will do a get request to see what the value is and set off a ssh script. I wish I could hook into the snmp set function, like when the var is written, but for now I have working setup. If anyone wants me to post my code I can.
Copied a lot of code from the second example here:
https://pysnmp.readthedocs.io/en/latest/examples/v3arch/asyncore/agent/cmdrsp/agent-side-mib-implementations.html
Learned about MIB compiling and used the mbidump.py tool. Looks like if you don't provide the proper file the old host server might be compromised and it downloads a file automatically...so be careful.
I have a syslog server, but I need to find out the URL that has been used to reach my server. For example I have syslog1.example.com and syslog2.example.com, both of which hit the same server, then in the conf file I will filter which URL was set and update a database field based on this value.
I have added fields to the database and using the conf file I am able to manipulate the request, but I need the referer URl. Does anyone have any idea how I can get this.
Obviously I have managed everything else, but have tried little towards this part of the task as I need to know if it is possible and my searches are bringing up results based on Curl which is not what I need. If anyone knows how I can get the URL, it would be most appreciated.
Update
I have a device which has busybox and syslogd installed. I am able to set an address on the device for the syslog, for example 1.1.1.1:514. But I am not able to do anymore on the device other than this.
I have for example 100 devices, 50 are type A and 50 are type B. The issue is that when using 1.1.1.1:514 in every device as the syslog server address, when receiving the device information on the remote syslog server I am unable to differentiate whether the device is type A or type B.
I have the following solution in mind, although there may be another way to achieve this. If I create two subdomains and point them to the same address, ie typea.example.com and typeb.example.com, then in theory in devices with a type A I will set the remote syslog address to typea.example.com:514 and for type B, typeb.example.com:514. Both of these subdomains will point to 1.1.1.1, therefore the syslog information is now being received by devices of Type A and devices of Type B.
I need to now figure out how to in the syslog.conf on the remote server, find out whether the information was received by a device using typea.example.com or typeb.example.com.
The server does not have apache installed etc, however, in PHP for example we can use $_SERVER and normally I would be able to retrieve this information from, $_SERVER['HTTP_HOST']. Is there any way to do this in the syslog.conf on the remote syslog server.
As mentioned this is one solution I have in mind and it may not be the only one. Syslog is new to me and I am currently wrapping my head around this. From what I understand rather than variable or parameters, syslog uses macros. None of the macros provided seem to give me the information I need.
I know I can also set the syslog by doing say
syslogd -R 1.1.1.1:514
Is there anyway here I can include further information for example:
syslogd -R 1.1.1.1:514 type=a
Then I could say use $TYPE to get the value or alternatively add a custom header with the syslog.
As you can likely tell I am racking my brains for solutions and hitting brick walls. Any solution or docs that may point me in the right direction would be greatly appreciated.
Final point would be to mention I am also looking at redirecting the syslog info to a PHP script or a C (I'll say script but I know I am wrong) in order to vet the information there and then insert into the DB.
Quite simply I need a way to differentiate by type A or type B. Hopefully this clears matters up and these are not just the ramblings of a mad man.
The team I am working with has bought a CloudPort license (from CrossCheck Networks) and we are currently facing the problem of not being able to implement any sort of logic in the service Mocks (to control response selection). It would be something as simple as:
if (requestCounter++ == 1)
then
response = $fn:Global(MyFirstXmlString)$ // <-- this is CloudP syntax for vrbls
else
response = $fn:Global(MySecondXmlString)$.
We did not find any sample for using the Dll Plugin and neither of the two JScript and VBScript Tasks are working (i.e., our client machine gets back not the desired MySecondXmlString response but instead a Fault with
<faultstring>
ActiveX control '0e59f1d5-1fbe-11d0-8ff2-00a0d10038bc' cannot be instantiated
because the current thread is not in a single-threaded apartment.
</faultstring>.
Believe it or not, the fault above is being obtained even if the J- or VB-Script task is left empty! It's hard for us to believe that all the logic functionality advertised in the CloudPort UI is fake and that nothing is able to help one implement the kind of logic described above.
Any help would be appreciated!
Thanks,
Pompi
PS: A bit more details here on why the kind of logic described above is needed: We use SoapSonar in our testing framework to fire requests to a BizTalk orchestration application. The CP mocks are needed to simulate the environment of that BT orchestration. We cannot control individual mocked responses via SSonar requests: the (for cloudport: incoming) client requests are made by Production code and cannot be altered or controled by our SSonar client). The only Tasks functionality that worked for us is a DB-table working as an offline channel b/w SSonar and CP (SSonar writes in it and CP reads from it). CloudPort's reading of, say, responseXml's, from DB works fine but we cannot find a way to implement further behavior controlling logic on the CP side. Therefore, this stackoverflow posting. And thx for having the patience to read this whole shananigan :).
Don't think you can control this from the script.
The threading model should be controlled by the host, which I suppose uses windows's "vbscript.dll" for the actual execution.
So if you cannot find any settings under the tool's options or in the help :), you should look in the registry keys for the threading options of that ActiveX or "vbscript.dll"
That is the "ThreadingModel" value and try to change the values (you will also have to search the net for those, don't know them by heart).
There are chances that some other application (antivirus?) has changes the path to the dll that the COM interface should actually point to (see http://social.technet.microsoft.com/Forums/en-US/ieitpropriorver/thread/ac10bd5f-6d91-4aac-857c-0ed5758088ec)
Hope it helps.
Okay, I know it sounds generic. But I mean on an AJAX level. I've tried using Firebug to track the NET connections and posts and it's a mystery. Does anyone know how they do the instant autosave constantly without DESTROYING the network / browser?
My guess (and this is only a guess) is that google uses a PUSH service. This seems like the most viable option given their chat client (which is also integrated within the window) also uses this to delivery "real time" messages with minimal latency.
I'm betting they have a whole setup that manages everything connection related and send flags to trigger specific elements. You won't see connection trigers because the initial page visit establishes the connection then just hangs on the entire duration you have the page open. e.g.
You visit the page
The browser established a connection to [example]api.docs.google.com[/example] and remains open
The client-side code then sends various commands and receives an assortment of responses.
These commands are sent back and forth until you either:
Lose the connection (timeout, etc.) in which case it's re-established
The browser window is closed
Example of, how I see, a typical communication:
SERVER: CLIENT:
------- -------
DOC_FETCH mydocument.doc
DOC_CONTENT mydocument.doc 15616 ...
DOC_AUTOSAVE mydocument.doc 24335 ...
IM collaboratorName Hi Joe!
IM_OK collaboratorName OK
AUTOSAVE_OK mydocument.doc OK
Where the DOC_FETCH command is saying I want the data. The server replies with the corresponding DOC_CONTENT <docname> <length> <contents>. Then the client triggers DOC_AUTOSAVE <docname> <length> <content>. Given the number of potential simultaneous requests, I would bet they keep the "context" in the requests/responses so after something is sent it can be matched up. In this example, it knows the IM_OK matches the second request (IM), and the AUTOSAVE_OK matches the first request (AUTOSAVE)--Something like how AOL's IM protocol works.
Again, this is only a guess.
--
To prove this, use something like ethereal and see if you can see the information transferring in the background.
I need to communicate with a Service using IPC from inside of a Browser Helper Object (registered with IE8). Unfortunately, all of this communication is done through an Assembly API that I have no control over. Whenever this API starts up I get the following error:
ExceptionSystem.Runtime.Remoting.RemotingException: Failed to connect to an IPC Port: The system cannot find the file specified.
I realize that it is difficult to discern what the issue is without source. However I am curious if anyone knows of anything sort of permissions or DLL issues that would prevent IPC from working in this case.
It looks like this issue can be caused by a number of things.
UAC, as always, can be an issue and should be disabled to make sure it isn't causing problems.
The other issue is that IE allocates a process for the main frame as well as individual tabs. This means that there is no guarantee that your BHO is in the main frame process. If you set the following registry key, IE will prevent the browser from allocating extra tab processes:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]"TabProcGrowth"=dword:00000000
In general, neither of these solutions are ideal though. I ended up backing away from this entire attempt as it seems very problematic from a number of angles.