SYSLOGJSON log being truncated with a "..."
Closed this issue · 2 comments
When running a scan with the following arguments,
thor-lite-linux-64 -a FileScan --alldrives -p "target" -s "SIEM":514:SYSLOGJSON --nohtml --nolog --nocsv.
A test file triggered these reasons.
REASON_1: YARA rule WEBSHELL_PHP_Generic_Eval / Generic PHP webshell which uses any eval/exec function in the same line with user input SUBSCORE_1: 75 REF_1: Internal Research SIGTYPE_1: internal SIGCLASS_1: YARA Rule MATCHED_1: Str1: "system($_GET" in ">\x0a<?php\x0a if(isset($_GET['cmd']))\x0a {\x0a system($_GET['cmd']);\x0a }\x0a?>\x0a</pre>\x0a</body>\x0a</html>\x0a" at 0xed RULEDATE_1: 2021-01-07 TAGS_1: GEN, T1505_003, WEBSHELL RULENAME_1: WEBSHELL_PHP_Generic_Eval AUTHOR_1: Arnim Rupp (https://github.com/ruppde)
REASON_2: YARA rule WEBSHELL_PHP_Generic / php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings SUBSCORE_2: 75 REF_2: Internal Research SIGTYPE_2: internal SIGCLASS_2: YARA Rule MATCHED_2: Str1: "<?" in "dy>\x0a<form method=\"GET\" name=\"<?php echo basename($_SERVER['PHP_SELF']); ?>\">\x0a<inp" at 0x1d Str2: "<?php" in "dy>\x0a<form method=\"GET\" name=\"<?php echo basename($_SERVER['PHP_SELF']); ?>\">\x0a<input " at 0x1d Str3: "_GET[" in "alue=\"Execute\">\x0a</form>\x0a<pre>\x0a<?php\x0a if(isset($_GET['cmd']))\x0a {\x0a system($_GET['cmd']);\x0a }" at 0xd1 Str4: "system($" in ">\x0a<?php\x0a if(isset($_GET['cmd']))\x0a {\x0a system($_GET['cmd']);\x0a }\x0a?>\x0a</pre>\x0a</body>\x0a</html>\x0a" at 0xed Str5: "\"cmd\"" in "SERVER['PHP_SELF']); ?>\">\x0a<input type=\"TEXT\" name=\"cmd\" autofocus id=\"cmd\" size=\"80\">\x0a<input type=\"SUBMIT" at 0x65 Str6: "<pre>" in "0\">\x0a<input type=\"SUBMIT\" value=\"Execute\">\x0a</form>\x0a<pre>\x0a<?php\x0a if(isset($_GET['cmd']))\x0a {\x0a s" at 0xb7 Str7: "'cmd'" in "\"Execute\">\x0a</form>\x0a<pre>\x0a<?php\x0a if(isset($_GET['cmd']))\x0a {\x0a system($_GET['cmd']);\x0a }\x0a?>\x0a<" at 0xd6 Str8: "system($" in ">\x0a<?php\x0a if(isset($_GET['cmd']))\x0a {\x0a system($_GET['cmd']);\x0a }\x0a?>\x0a</pre>\x0a</body>\x0a</html>\x0a" at 0xed RULEDATE_2: 2021-01-14 TAGS_2: GEN, T1033, T1087_002, T1505_003, WEBSHELL RULENAME_2: WEBSHELL_PHP_Generic AUTHOR_2: Arnim Rupp (https://github.com/ruppde)
The log for this hit is truncated with a "...", which causes parsing issues when it hits the SIEM.
<188>May 1 16:29:18 REDACTED THOR: {"time":"2024-05-01T16:29:18Z","hostname":REDACTED ,"level":"Warning","module":"Filescan","message":"Malware file found","scanid":"S-XjvkndfCOf2U","score":84,"file":"/test.php","ext":".php","type":"UNKNOWN","size":291,"md5":"cd208f47749fb29b5e5c72f57979b7f6","sha1":"27e05f0ee0ce29fc7a36fde17e28d0424fe5a799","sha256":"15da6a29cfe008494f7247d7858adf7c698e8843e961d9cc2bb3f20db8cf6809","firstbytes":"64793e0a3c666f726d206d6574686f643d224745 / dy\u003e \u003cform method=\"GE","changed":"2024-05-01T08:33:34-07:00","modified":"2024-05-01T08:33:34-07:00","accessed":"2024-05-01T09:02:57-07:00","permissions":"-rw-r--r--","owner":"root","group":"root","reason_1":"YARA rule WEBSHELL_PHP_Generic_Eval / Generic PHP webshell which uses any eval/exec function in the same line with user input","subscore_1":75,"ref_1":"Internal Research","sigtype_1":"internal","sigclass_1":"YARA Rule","matched_1":[{"data":"system($_GET","context":"\u003e\u000a\u003c?php\u000a if(isset($_GET['cmd']))\u000a {\u000a system($_GET['cmd']);\u000a }\u000a?\u003e\u000a\u003c/pre\u003e\u000a\u003c/body\u003e\u000a\u003c/html\u003e\u000a","offset":237}],"ruledate_1":"2021-01-07","tags_1":"GEN, T1505_003, WEBSHELL","rulename_1":"WEBSHELL_PHP_Generic_Eval","author_1":"Arnim Rupp (https://github.com/ruppde)","reason_2":"YARA rule WEBSHELL_PHP_Generic / php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings","subscore_2":75,"ref_2":"Internal Research","sigtype_2":"internal","sigclass_2":"YARA Rule","matched_2":[{"data":"\u003c?","context":"dy\u003e\u000a\u003cform method=\"GET\" name=\"\u003c?php echo basename($_SERVER['PHP_SELF']); ?\u003e\"\u003e\u000a\u003cinp","offset":29},{"data":"\u003c?php","context":"dy\u003e\u000a\u003cform method=\"GET\" name=\"\u003c?php echo basename($_SERVER['PHP_SELF']); ?\u003e\"\u003e\u000a\u003cinput ","offset":29},{"data":"_GET[","context":"alue=\"Execute\"\u003e\u000a\u003c/for...
Thoughts?
Hi,
You can use --maxsysloglength to adjust the limit (or set it to 0 to avoid any truncation).
I agree with you that truncating by default with JSON output is bad behaviour since it creates invalid output, I'll ask around internally if we can change that.
I missed that option, thanks!