I recently updated and replaced older repositories from my GitHub account that were hand made modular alerts to send search results to other Splunk instances. The first one sends the search results to a Splunk HTTP Event Collector receiver. The second one came from our Splunk 2016 .conf talk on KVStore. It was useful for sending search results (typically an inputlookup of a table) to a remote KVStore lookup table.
You can find the updated Send To HEC TA on Splunkbase: TA-Send_to_HEC or in my GitHub repository: TA-Send_to_HEC.
This is useful for taking search results and sending to another Splunk instance using HEC. If you chose JSON mode it will send the results as a JSON payload of all the fields after stripping any hidden fields. Hidden fields start with an underscore. RAW mode is a new option which takes the _raw field and sends ONLY that field to the remote HEC receiver.
This has been completely redone. I have submitted it to Splunkbase, but for the moment you can get it from my GitHub repository: TA-SyncKVStore
Originally it only sent search results to a remote KVStore. Now it also has two modular inputs. The first pulls a remote KVStore collection (table) and puts it into a local KVStore collection. The second pulls the remote KVStore collection but indexes it locally in JSON format. It will strip the hidden fields before forming the JSON payload to index. You are responsible for making sure all the appropriate and matching KVStore collections exist.
If you look in the code you will notice an unusual hybrid of the Splunk SDK for Python to handle KVStore actions and my own python class for batch saving the data to the collection. I could not get the batch_save method from the SDK to work at all. My own class already existed and was threaded for performance from my old version of the modular input so I just used the SDK to clear data if you wanted a replace option and then my own code for saving the new or updated data.
I rebuilt both of these TAs using the awesome Splunk Add-on Builder. This makes it easy in the SyncKVStore TA to store the credentials in the internal Splunk encrypted storage. One comment to update on the previous post on credential storage. The Add-on Builder was recently updated and now gives much better multiple credential management with a “global account” pull down selector you can use in your inputs and alert actions.
One of the things I built into my crowbar dictionary attack tools for DMG and keychain files from the start was Growl. Growl is a free add on notification framework for your mac. MANY popular mac programs support growl so this is not just some odd plug in. I recommend in the crowbar apps making it popup the notifications for password found and not found at least go to your screen. The password found is even better when set to sticky. This means the alert stays on the screen until you click on it.
Now if you have an iPhone you can get the alert notifications right to your iPhone. There is a great iPhone application called Prowl (App Store Link). The developer’s site lets you create a login to his site which you set in the Prowl program. You download and install a Growl plugin for Prowl. The Prowl iPhone app is $2.99. The service and plugin are free. Last all you do is customize the alert settings for the crowbar apps to send to Prowl just using the growl preference pane control.
Now when you leave those real large dictionaries running you can leave them minimized and even leave the office or home knowing you will get the status when the job finishes.
You can find out everything at the Prowl developer’s site: http://prowl.weks.net/
I dropped v1.0.2 of both crowbarDMG and crowbarKC into the automatic update feed. Please just run the applications and choose Check for Updates or allow automatic updates to run.
This update fixes where I was not stripping the carriage return characters from windows CRLF formatted text files used as dictionaries. It would cause the program to appear it was properly checking passwords but never find the correct password due to the extra CR character.
I love using Sleuthkit tools fls and mactime to produce a timeline for file system analysis. But what if you are not compiler friendly and have a mac as your forensics workstation? Here is the quick and easy way to get Sleuthkit installed so you can run it against raw disc images.
- Get macports from macports.org It is a simple install from dmg.
- Once installed, get a terminal session opened.
- execute the command: sudo port -d selfupdate
- execute the command: sudo port install sleuthkit
It will take a while for sleuthkit and all the dependancies to install. Once done you should be able to do “man fls” and “man mactime” to see the manual pages for the tools and start using them.
A long time back I made a post on running Bonjour iTunes sharing over SSH. It works but just for the machine you are SSH’ing into. Well now Yazsoft who makes Speed Downloader recently put out a tool called ShareTool.
Sharetool is a bonjour relay tool over an SSH connection. It uses the existing Remote Login service built into OSX. It can take advantage of your existing setup connection if you already use SSH to access your network from remote. The one odd technical thing I have found is that it seems capable of ignoring the requirement for public key authentication on an existing setup Remote Login configuration. But only when using the ShareTool itself. It does not even provide a means of specifying use of an authentication key. It still honors any user name restrictions you setup under the Remote Login preference panel.
*UPDATE* I found even though I had thought I moved my ssh key out of my folder for testing it had hung onto a key in another location and my passphrase had been cached in my keychain. ShareTool will automatically use your key authentication if the key is present in your .ssh folder and is unable to login to your mac if you require key authentication and the key is missing. Very sweet.
Connecting to remote services adverstised by Bonjour, screen sharing, file sharing etc all worked surprisingly well.
Some additional very nice features are UPnP to automatically configure your router, wanting to use non standard random high ports to avoid SSH bot attacks, updating of Dynamic DNS services like DNS-o-Matic, DynDNS etc. Lastly it passes through access to all Bonjour services on the network you are connecting into.
They provide a evaluation version of the tool that allows 15 minutes of functionality at a time to see if it meets your needs.
One last odd thing about the product. They require you purchase one license for each machine you load the software on. This is only strange because you can only use it in a minimum of a pair. One on the machine you are connecting to and the machine you want to connect from. Usually software that has to work in a pair usually lets you run that with one license up front then just add singles after that. They want you to purchase a single license for $20 USD. At least they offer a “special” $30 USD for a pair of licenses. So look at the product as costing $30 out of the box then $20 for each additional single license after that. A pack of 5 licenses is $75 USD.
You can check out my SSH Screencast Series over at Typical Mac User for more on using SSH/Remote Login services.
A long time back I had tested the online backup service Mozy. By long time back I mean my version was mozy-0_6_2_6-502.dmg. Today I was trouble shooting an application I am beta testing for someone. I needed console logs. Low and behold the Mozy removal script from that version was so bad it had left something behind. I have TONS of the following events showing in my Console.
8/6/08 9:15:53 PM com.apple.launchd (com.mozy.backup) posix_spawnp(“/Applications/Mozy.app/Contents/Resources/MozyBackup”, …): No such file or directory
8/6/08 9:15:53 PM com.apple.launchd (com.mozy.backup) Exited with exit code: 1
Well a bit of googling and I find that this combination works to finally get rid of that sucker.
sudo launchctl unload /Library/LaunchDaemons/com.mozy.backup.plist
Follow that up with going into the /Library/LaunchDaemons and tossing the file com.mozy.backup.plist into the trash. Now I have nice clean console logs for troubleshooting a real problem. Not something sucking up CPU cycles trying to relaunch every 10 seconds.