One-liner: How to check the positional numbers of elements in the CheckPoint logs

CheckPoint log entries are divided by semi-colons and can have … many … fields. How to quickly check the positional number of a particular field in a particular log entry? Here’s a quick AWK one-liner (in AWK the “0” element is the whole line):

$ echo '315918;1Jan2019;0:03:30;fe80::d123:3aaa:fe80:fb73;ff02::1;ipv6-icmp;;accept;;;;10.1.2.26;log;;eth1.123;inbound;VPN-1 & FireWall-1;;f-firewall001;Network;0;;;;;;;;;Implied rule;;;Neighbor Advertisement;136;0;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;' | \ 
awk -v RS=\; '{print NR,$0}'
1 315918
2 1Jan2019
3 0:03:30
4 fe80::d123:3aaa:fe80:fb73
5 ff02::1
6 ipv6-icmp
7 
8 accept
9 
10 
11 
12 10.1.2.26
13 log
14 
15 eth1.123
16 inbound
17 VPN-1 & FireWall-1
18 
19 f-firewall001
20 Network
21 0
22 
23 
24 
25 
26 
27 
28 
29 
30 Implied rule
31 
32 
33 Neighbor Advertisement
34 136
35 0
36 
37 
...
92

A bit longer alternative variant:

awk -F\; '{ for (i=1;i<=NF;i++) {print i,$i}}'

To number the field names (provided the logs are converted to TXT and gzipped):

$ zcat 2019-01-01_025249_2308.log.txt.gz | head -1 |  awk -v RS=\; '{ print NR,$0}'
1 num
2 date
3 time
4 src
5 dst
6 proto
7 service
8 action
9 xlatesrc
10 xlatedst
11 peer gateway
12 orig
13 type
14 alert
15 i/f_name
16 i/f_dir
17 product
18 log_sys_message
19 origin_id
20 ProductFamily
21 rule
22 rule_uid
23 rule_name
24 service_id
25 NAT_rulenum
26 NAT_addtnl_rulenum
27 s_port
28 xlatedport
29 xlatesport
30 message_info
31 inzone
32 outzone
33 ICMP
34 ICMP Type
35 ICMP Code
36 TCP packet out of state
37 tcp_flags
38 scheme:
39 methods:
40 encryption failure:
41 partner
42 community
43 fw_subproduct
44 vpn_feature_name
45 srckeyid
46 dstkeyid
47 IKE:
48 CookieI
49 CookieR
50 msgid
51 IKE notification:
52 Certificate DN:
53 IKE IDs:
54 user
55 rule_guid
56 hit
57 policy
58 first_hit_time
59 last_hit_time
60 log_id
61 message
62 ip_id
63 ip_len
64 ip_offset
65 fragments_dropped
66 during_sec
67 fw_message
68 reject_category
69 DCE-RPC Interface UUID
70 Log delay
71 description
72 status
73 version
74 comment
75 update_service
76 Protection Name
77 Severity
78 Confidence Level
79 protection_id
80 SmartDefense Profile
81 Performance Impact
82 Industry Reference
83 Protection Type
84 detected port
85 protocol
86 Attack Info
87 attack
88 FollowUp
89 Log ID
90 spi
91 encryption fail reason:
92 rpc_prog

 

Quick MyBB MySQL fix

Quick SQL fix to address the following issues for some MyBB users:

  • Hotlinked images and videos are not shown
  • Quoted images and videos are not shown
  • Classic layout is not enforced
  • “Friendly redirects” are not disabled
UPDATE `mybb_users` SET classicpostbit=1 WHERE classicpostbit=0;
UPDATE mybb_users SET showimages=1,showvideos=1 WHERE showimages=0;
UPDATE mybb_users SET showredirect=0 WHERE showredirect=1;

The first line is the most important because of the bug in MyBB UserCP.

One-liner: How to convert CheckPoint firewall logs

To make the log format predictable, create /etc/fw/conf/logexport.ini with the following

For R70 (Secuplat):

[Fields_Info]
included_fields=num,date,time,src,dst,proto,service,action,xlatesrc,xlatedst,peer gateway,<REST_OF_FIELDS>  

For R77 (GAIA):

[Fields_Info]
included_fields=date,time,src,dst,proto,service,action,xlatesrc,xlatedst,peer gateway,<REST_OF_FIELDS>

Create a directory for the converted logs:

mkdir /var/log/2019.txt

Run the following command to convert all logs, for example, for January 2019:

 
for i in $FWDIR/log/2019-01-*.log; do echo $i; fwm logexport -n -p -i $i |  gzip -c - > /var/log/2019.txt/$i.txt.gz; done

One-liner: how to convert CheckPoint netconf.C routes to Gaia/Clish commands

Provided all route metrics are zeroes:

cat /etc/sysconfig/netconf.C | tr '(' ' '| tr ')' ' ' | tr '"' ' '| tr ':' ' ' | tr '\t' ' '| tr -s ' '| sed -e 's/^ //' | sed 's/routes//' | awk '/route/ {printf("set static-route ");} /dest/ {printf("%s ",$2);} /via/ {printf("nexthop gateway address %s ",$2);} /metric/ {print "on"}'

The result:

set static-route 10.13.198.160/27 nexthop gateway address 10.12.12.1 on
set static-route 10.13.198.192/27 nexthop gateway address 10.12.12.1 on
set static-route 192.168.112.0/24 nexthop gateway address 10.12.12.1 on
set static-route 192.168.113.0/24 nexthop gateway address 10.12.12.1 on
set static-route 192.168.114.0/24 nexthop gateway address 10.12.12.1 on
set static-route 192.168.115.0/24 nexthop gateway address 10.12.12.1 on
set static-route default nexthop gateway address 10.0.0.1 on

Python on Solaris: Wrong ELF class: ELFCLASS64

If “pip” installed 64-bit libraries, while python is a 32-bit binary, “pkg” might stop working with the following error messages:

ImportError: ld.so.1: bootadm: fatal: /usr/lib/python2.7/site-packages/lxml/etree.so: wrong ELF class: ELFCLASS64
ImportError: ld.so.1: python2.7: fatal: /usr/lib/python2.7/site-packages/_cffi_backend.so: wrong ELF class: ELFCLASS64
$ file `which python`
/usr/bin/python:	ELF 32-bit LSB executable 80386 Version 1 [SSE], dynamically linked, not stripped

The workaround is to remove the corresponding python packages (in this case cffi and lxml), download and recompile them manually with “-m32”:

$ export CFLAGS="-m32"

One-liner: how to generate group-url for all remote-access tunnel-groups (Cisco ASA)

This one-liner takes Cisco ASA config, checks for “tunnel-group … remote-access” and generates the following two lines:

tunnel-group GROUPNAME webvpn-attributes
 group-url https://CISCO_ASA_FW_FQDN/GROUPNAME enable
for i in `fgrep tunnel-group CISCO_ASA.conf | fgrep remote-access | awk '{print $2}'`
do
echo "tunnel-group $i webvpn-attributes"
echo " group-url https://CISCO_ASA_FW_FQDN/$i enable"
done

One-liner: how to get image URLs from Google Image search

Let’s search for “red apple”:

For Solaris (use gsed instead of sed):

curl -A "Mozilla/5.0 (X11; SunOS i86pc; rv:52.0) Gecko/20100101 Firefox/52.0" \
'https://www.google.nl/search?q=red+apple&tbm=isch' 2>/dev/null | \ 
tail -1 | gsed -e 's/,"ow":/*/g' -e 's/,"ou":/*Image:/g' | \ 
tr '*' '\n' | grep "^Image" | sed -e 's/^Image:"//' -e 's/"$//' 

For Linux:

curl -A "Mozilla/5.0 (X11; SunOS i86pc; rv:52.0) Gecko/20100101 Firefox/52.0" \
'https://www.google.nl/search?q=red+apple&tbm=isch' 2>/dev/null | \ 
tail -1 | sed -e 's/,"ow":/*/g' -e 's/,"ou":/*Image:/g' | \ 
tr '*' '\n' | grep "^Image" | sed -e 's/^Image:"//' -e 's/"$//'