⚡ Windows / PowerShell script alternative

Question

⚡ Windows / PowerShell script alternative

nicpenning opened this issue 4 years ago · 23 comments

I see there is encore.sh which will execute the code for the connector.

Since this is being run on Windows, I would rather have a more native way to execute encore.

Outside of re-writing the encore.sh to PowerShell (which I have done), is there any other out of the box functionality to run this on Windows?

I am willing to share my PowerShell script alternative to this project if no other way seems to exist.

Answer 1 · 2021-04-25T20:06:52.000Z

Working through this same thing. Would you by chance be able to share your ps1 script for this?

Greatly appreciate it!

Answer 2 · 2021-04-25T20:27:54.000Z

I will see if I can grab it as is. Might need to be updated since they're have been some changes on this product.

Answer 3 · 2021-04-25T22:31:24.000Z

Is there a setup.py missing with the distribution? I can take a crack at writing the ps1 script to call to service.py and preflight.py but the import's break to the other files in sub-directories.

Answer 4 · 2021-04-26T01:57:39.000Z

I basically converted the encore.sh into encore.ps1 and called the pieces I needed. Mainly JSON output.

Answer 5 · 2021-04-26T20:07:36.000Z

I created the PR here: #19

Answer 6 · 2021-04-26T21:15:26.000Z

This is great, much appreciated. I was about to publish a script but yours is much more polished. I'm hitting an error that I have to work through still...

AttributeError: module 'win_inet_pton' has no attribute 'inet_ntop'

I've pip installed the dependency (pip install win_inet_pton) but still getting the error. Will have to dig on this one.

Answer 7 · 2021-04-26T21:22:37.000Z

This was a weird thing. I had to edit the original python code as well.

Was it the binary.py file?

Answer 8 · 2021-04-26T21:24:43.000Z

Yup, from the binary.py.

You recall what you edited? I thought it might have been a typo for the module but figured that would have been patched fairly quickly. I guess there just aren't a lot of users running this from a windows box.

Answer 9 · 2021-04-26T21:24:54.000Z

I got it here: 5e381cf

Answer 10 · 2021-04-26T21:25:47.000Z

I committed that file change. Happy I found it. I remember spending a lot of time debugging and fixing that one haha!

Answer 11 · 2021-04-26T21:26:14.000Z

Awesome. Huge time saver for me. Really appreciate the help!

Answer 12 · 2021-04-26T21:27:48.000Z

Please let me know if it works for you. I wrote it last July and haven't really touched it since. It was a POC and I thought it worked okay but not fully vetted, use at your own risk!

Answer 13 · 2021-04-26T21:50:49.000Z

A step in the right direction. The ps script works great. After patching the binary.py I seem to be pass that error, but still managed to hit another snag =/

021-04-26 17:36:31,573 Writer INFO Starting process. Process Process-1: Traceback (most recent call last): File "C:\Users\myaccount\AppData\Local\Programs\Python\Python39\lib\site-packages\estreamer\pipeline.py", line 139, in parse parser.parse() File "C:\Users\myaccount\AppData\Local\Programs\Python\Python39\lib\site-packages\estreamer\adapters\binary.py", line 519, in parse self._parse( self.data, self.offset, self.record ) File "C:\Users\myaccount\AppData\Local\Programs\Python\Python39\lib\site-packages\estreamer\adapters\binary.py", line 413, in _parse offset = self._parseAttributes( data, offset, attributes, record ) File "C:\Users\myaccount\AppData\Local\Programs\Python\Python39\lib\site-packages\estreamer\adapters\binary.py", line 401, in _parseAttributes offset = self._parseBlock( data, offset, attribute, block ) File "C:\Users\myaccount\AppData\Local\Programs\Python\Python39\lib\site-packages\estreamer\adapters\binary.py", line 216, in _parseBlock blockDefinition = Binary._blockDefinition( blockKey ) File "C:\Users\myaccount\AppData\Local\Programs\Python\Python39\lib\site-packages\estreamer\adapters\binary.py", line 183, in _blockDefinition raise ParsingException('Unknown block definition: {0}', key ) estreamer.exception.ParsingException: ('Unknown block definition: {0}', 157)

Answer 14 · 2021-04-26T22:42:13.000Z

I think I ran into that as well, let me check that file and get back to you. Might be tomorrow as I am away from the code.

Answer 15 · 2021-04-26T23:01:45.000Z

Thanks again, greatly appreciate the help. Will update if I determine the issue before then.

Answer 16 · 2021-04-26T23:42:59.000Z

So I feel pretty silly because I removed the init and main function calls. I added those back in on my latest commit. Try that (even though I don't think that will help).

Also, you shouldn't get any errors on the running of this script because it wasn't calling anything.

Lastly, here is me running it with a bad config:

PS C:\Users\myuser\Tools\PowerShell\fp-05-firepower-cef-connector-arcsight-3.8.4-windows> .\encore.sh.ps1 test
Where does your Python 2.7 live? Example - C:\Program Files\Python27\: C:\Program Files\Python27\
Python 2.7 is installed
Usage: encore.ps1 {start | stop | restart | foreground | test | setup}

    start:      starts eNcore as a background task
    stop:       stop the eNcore background task
    restart:    stop the eNcore background task
    foreground: runs eNcore in the foreground
    test:       runs a quick test to check connectivity
    setup:      change the output (splunk | cef | json)

Enter an option.: test
2021-04-26T18:39:25.307000 Diagnostics  INFO    Checking that configFilepath (estreamer.conf) exists
2021-04-26 18:39:25,437 Diagnostics  INFO     Check certificate
2021-04-26 18:39:25,450 Diagnostics  INFO     Creating connection
2021-04-26 18:39:25,453 Connection   INFO     Connecting to 192.168.8.50:8302
2021-04-26 18:39:25,456 Connection   INFO     Using TLS v1.2
2021-04-26T18:39:36.009000 Diagnostics  ERROR   TimeoutException: Could not connect to eStreamer Server at all. Are you sure the host and port are correct? If so then perhaps it is a firewall issue.```

So I have confirmed that this works with the latest release.

Answer 17 · 2021-04-27T00:05:58.000Z

Also, I was using python 2.7. I haven't tested 3+ yet.

Answer 18 · 2021-04-27T04:09:20.000Z

I had ran the script from an IDE and called main from the command line. All that worked great. Seems to be just some issues down-line in binary.py

Answer 19 · 2021-04-27T13:32:48.000Z

What IDE did you use? Using ISE there are some odd errors but Visual Studio Code seemed to work well.

Answer 20 · 2021-04-27T13:42:28.000Z

Visual code. The integrated IDE isn't supported anymore and has quite a few issues like you mentioned.

The client can connect to and authenticate with the pkcs12, once it begins event ingest is crashes within the binary.py.

"C:\Users\myaccount\AppData\Local\Programs\Python\Python39\lib\site-packages\estreamer\adapters\binary.py", line 183, in _blockDefinition raise ParsingException('Unknown block definition: {0}', key ) estreamer.exception.ParsingException:

Answer 21 · 2021-04-27T13:56:22.000Z

Have you tried Python 2.7?

Answer 22 · 2021-04-27T14:36:59.000Z

I'm limited on what I can run on this box which brought me here hoping to find a version of the eStreamer client that was made to run on 3. I'm still digging on the error in hopes to trace down the issue.