This!
Category: Computers
One-liner: How to check positional numbers of elements in the CheckPoint logs
CheckPoint log entries are divided by semi-colons and can have … many … fields. How to quickly check the positional number of a particular field in a particular log entry? Here’s a quick AWK one-liner (in AWK the “0” element is the whole line):
$ echo '315918;1Jan2019;0:03:30;fe80::d123:3aaa:fe80:fb73;ff02::1;ipv6-icmp;;accept;;;;10.1.2.26;log;;eth1.123;inbound;VPN-1 & FireWall-1;;f-firewall001;Network;0;;;;;;;;;Implied rule;;;Neighbor Advertisement;136;0;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;' | \
awk -v RS=\; '{print NR,$0}'
1 315918
2 1Jan2019
3 0:03:30
4 fe80::d123:3aaa:fe80:fb73
5 ff02::1
6 ipv6-icmp
7
8 accept
9
10
11
12 10.1.2.26
13 log
14
15 eth1.123
16 inbound
17 VPN-1 & FireWall-1
18
19 f-firewall001
20 Network
21 0
22
23
24
25
26
27
28
29
30 Implied rule
31
32
33 Neighbor Advertisement
34 136
35 0
36
37
...
92
A bit longer alternative variant:
awk -F\; '{ for (i=1;i<=NF;i++) {print i,$i}}'
To number the field names (provided the logs are converted to TXT and gzipped):
$ zcat 2019-01-01_025249_2308.log.txt.gz | head -1 | awk -v RS=\; '{ print NR,$0}' 1 num 2 date 3 time 4 src 5 dst 6 proto 7 service 8 action 9 xlatesrc 10 xlatedst 11 peer gateway 12 orig 13 type 14 alert 15 i/f_name 16 i/f_dir 17 product 18 log_sys_message 19 origin_id 20 ProductFamily 21 rule 22 rule_uid 23 rule_name 24 service_id 25 NAT_rulenum 26 NAT_addtnl_rulenum 27 s_port 28 xlatedport 29 xlatesport 30 message_info 31 inzone 32 outzone 33 ICMP 34 ICMP Type 35 ICMP Code 36 TCP packet out of state 37 tcp_flags 38 scheme: 39 methods: 40 encryption failure: 41 partner 42 community 43 fw_subproduct 44 vpn_feature_name 45 srckeyid 46 dstkeyid 47 IKE: 48 CookieI 49 CookieR 50 msgid 51 IKE notification: 52 Certificate DN: 53 IKE IDs: 54 user 55 rule_guid 56 hit 57 policy 58 first_hit_time 59 last_hit_time 60 log_id 61 message 62 ip_id 63 ip_len 64 ip_offset 65 fragments_dropped 66 during_sec 67 fw_message 68 reject_category 69 DCE-RPC Interface UUID 70 Log delay 71 description 72 status 73 version 74 comment 75 update_service 76 Protection Name 77 Severity 78 Confidence Level 79 protection_id 80 SmartDefense Profile 81 Performance Impact 82 Industry Reference 83 Protection Type 84 detected port 85 protocol 86 Attack Info 87 attack 88 FollowUp 89 Log ID 90 spi 91 encryption fail reason: 92 rpc_prog
Quick MyBB MySQL fix
Quick SQL fix to address the following issues for some MyBB users:
- Hotlinked images and videos are not shown
- Quoted images and videos are not shown
- Classic layout is not enforced
- “Friendly redirects” are not disabled
UPDATE `mybb_users` SET classicpostbit=1 WHERE classicpostbit=0; UPDATE mybb_users SET showimages=1,showvideos=1 WHERE showimages=0; UPDATE mybb_users SET showredirect=0 WHERE showredirect=1;
The first line is the most important because of the bug in MyBB UserCP.
One-liner: How to convert CheckPoint firewall logs
To make the log format predictable, create /etc/fw/conf/logexport.ini with the following
For R70 (Secuplat):
[Fields_Info] included_fields=num,date,time,src,dst,proto,service,action,xlatesrc,xlatedst,peer gateway,<REST_OF_FIELDS>
For R77 (GAIA):
[Fields_Info] included_fields=date,time,src,dst,proto,service,action,xlatesrc,xlatedst,peer gateway,<REST_OF_FIELDS>
Create a directory for the converted logs:
mkdir /var/log/2019.txt
Run the following command to convert all logs, for example, for January 2019:
for i in $FWDIR/log/2019-01-*.log; do echo $i; fwm logexport -n -p -i $i | gzip -c - > /var/log/2019.txt/$i.txt.gz; done
One-liner: how to convert CheckPoint netconf.C routes to Gaia/Clish commands
Provided all route metrics are zeroes:
cat /etc/sysconfig/netconf.C | tr '(' ' '| tr ')' ' ' | tr '"' ' '| tr ':' ' ' | tr '\t' ' '| tr -s ' '| sed -e 's/^ //' | sed 's/routes//' | awk '/route/ {printf("set static-route ");} /dest/ {printf("%s ",$2);} /via/ {printf("nexthop gateway address %s ",$2);} /metric/ {print "on"}'
The result:
set static-route 10.13.198.160/27 nexthop gateway address 10.12.12.1 on set static-route 10.13.198.192/27 nexthop gateway address 10.12.12.1 on set static-route 192.168.112.0/24 nexthop gateway address 10.12.12.1 on set static-route 192.168.113.0/24 nexthop gateway address 10.12.12.1 on set static-route 192.168.114.0/24 nexthop gateway address 10.12.12.1 on set static-route 192.168.115.0/24 nexthop gateway address 10.12.12.1 on set static-route default nexthop gateway address 10.0.0.1 on
How to start Cisco ASDM from command-line (Windows, UNIX)
The following command can be used to start Cisco ASDM from command-line on Windows (without ASDM installation) or UNIX. Java must be locally installed:
javaws https://CISCO_ASA_IP/admin/public/asdm.jnlp
Python on Solaris: Wrong ELF class: ELFCLASS64
If “pip” installed 64-bit libraries, while python is a 32-bit binary, “pkg” might stop working with the following error messages:
ImportError: ld.so.1: bootadm: fatal: /usr/lib/python2.7/site-packages/lxml/etree.so: wrong ELF class: ELFCLASS64
ImportError: ld.so.1: python2.7: fatal: /usr/lib/python2.7/site-packages/_cffi_backend.so: wrong ELF class: ELFCLASS64
$ file `which python` /usr/bin/python: ELF 32-bit LSB executable 80386 Version 1 [SSE], dynamically linked, not stripped
The workaround is to remove the corresponding python packages (in this case cffi and lxml), download and recompile them manually with “-m32”:
$ export CFLAGS="-m32"
One-liner: how to generate group-url for all remote-access tunnel-groups (Cisco ASA)
This one-liner takes Cisco ASA config, checks for “tunnel-group … remote-access” and generates the following two lines:
tunnel-group GROUPNAME webvpn-attributes group-url https://CISCO_ASA_FW_FQDN/GROUPNAME enable
for i in `fgrep tunnel-group CISCO_ASA.conf | fgrep remote-access | awk '{print $2}'` do echo "tunnel-group $i webvpn-attributes" echo " group-url https://CISCO_ASA_FW_FQDN/$i enable" done
One-liner: how to get image URLs from Google Image search
Let’s search for “red apple”:
For Solaris (use gsed instead of sed):
curl -A "Mozilla/5.0 (X11; SunOS i86pc; rv:52.0) Gecko/20100101 Firefox/52.0" \ 'https://www.google.nl/search?q=red+apple&tbm=isch' 2>/dev/null | \ tail -1 | gsed -e 's/,"ow":/*/g' -e 's/,"ou":/*Image:/g' | \ tr '*' '\n' | grep "^Image" | sed -e 's/^Image:"//' -e 's/"$//'
For Linux:
curl -A "Mozilla/5.0 (X11; SunOS i86pc; rv:52.0) Gecko/20100101 Firefox/52.0" \ 'https://www.google.nl/search?q=red+apple&tbm=isch' 2>/dev/null | \ tail -1 | sed -e 's/,"ow":/*/g' -e 's/,"ou":/*Image:/g' | \ tr '*' '\n' | grep "^Image" | sed -e 's/^Image:"//' -e 's/"$//'