Site Move Completed

I have finished moving my posts over from Serendipity on my irobx.net site over to cloud based WordPress site. Yes, I have moved to the cloud. I can just feel the ROI flooding in. Not to say the process was seamless or easy. I had to export an RSS feed into outlook and forward emails to the posting address for the WordPress site, then hand edit the formatting differences. If I had many more posts I probably would have come up with a scripted solution, as it was my site is just small enough that the time spent manually importing was less than creating a scripted solution. It may sound strange for someone who enjoys scripting, but I will rarely use a script to do a task that is quicker done with a manual process. I *will* script small routines that I know I will repeat many times, usually after having repeated them enough times for them to become annoying. Nice to have it finished in any event.

Read Grep exit codes

for x in `cat /tmp/t1.txt`
	do grep -q $x /tmp/t.txt
		if [[ $? -ne 0 ]]
			then echo $x
		fi
	done

SED one-liner to comment out all lines containing a string

sed -i ‘s/.*ET P2P.*/#&/g’ /etc/suricata/rules/emerging-all.rules

Netstat output showing process names for established connections

Feed: Scriptorlog
Posted on: Friday, March 11, 2011 1:39 PM
Author: iRobx
Subject: Netstat output showing process names for established connections

The -b switch on netstat is a great thing. It shows you which process is using which socket or listening on a port. Used to was you could get this information using the -o switch which returned only the Process ID numbers (PID). Back in those olden days of yore I wrote my portbuster script which show process names for each listening port. Now since vista using the -b switch requires elevation. Also, the -b switch puts the process name on different lines than the ip information which makes the output un-grepable. One way to get around this is to adapt my portbuster script to show process name for all established connections. That is what I have done:

connected-procs
============

@echo off
for /f "skip=4 tokens=1,2,3,4,5" %%i in ('netstat -a -n -o^|findstr ESTABLISHED') do (
if %%i==TCP for /f "tokens=1-3" %%u in ('tasklist /fi "PID eq "%%m /nh /svc') do echo %%u,%%i,%%j,%%k,%%v
)

Dump DHCP Client info for all hosts using netsh

Feed: Scriptorlog
Posted on: Friday, April 29, 2011 2:57 PM
Author: iRobx
Subject: Dump DHCP Client info for all hosts using netsh

for /f %i in ('netsh dhcp server \\MYDHCPSERVERNAME show scope ^|findstr "255.0"') do netsh dhcp server \\MYDHCPSERVERNAME scope %i show clients

for /f %i in ('netsh dhcp server \\MYDHCPSERVERNAME show scope ^|findstr "255.0"') do netsh dhcp server \\MYDHCPSERVERNAME scope %i show reservedip

Control Panel RunDLL info

Feed: Scriptorlog
Posted on: Monday, April 18, 2011 8:24 AM
Author: iRobx
Subject: Control Panel RunDLL info

Many control panel applets are DLL’s that can be launched from rundll using the shell32.dll like so:

rundll32.exe shell32.dll,Control_RunDLL C:\Windows\System32\ncpa.cpl

This will launch the Network Connections Control-Panel Stub. Here is a map of some cpl files on my system:

c:\windows\System32\appwiz.cpl
Description: Shell Application Manager
c:\windows\System32\bthprops.cpl
Description: Bluetooth Control Panel Applet
c:\windows\System32\collab.cpl
Description: People Near Me Control Panel Applet
c:\windows\System32\desk.cpl
Description: Desktop Settings Control Panel
c:\windows\System32\EDMCControlApplet.cpl
Description: n/a
c:\windows\System32\Firewall.cpl
Description: Windows Firewall Control Panel DLL
c:\windows\System32\hdwwiz.cpl
Description: Add Hardware Control Panel Applet
c:\windows\System32\igfxcpl.cpl
Description: igfxcpl Module
c:\windows\System32\inetcpl.cpl
Description: Internet Control Panel
c:\windows\System32\infocardcpl.cpl
Description: Windows CardSpace
c:\windows\System32\intl.cpl
Description: Control Panel DLL
c:\windows\System32\irprops.cpl
Description: Infrared Control Panel Applet
c:\windows\System32\ISUSPM.cpl
Description: Macrovision Software Manager Applet
c:\windows\System32\joy.cpl
Description: Game Controllers Control Panel Applet
c:\windows\System32\main.cpl
Description: Mouse and Keyboard Control Panel Applets
c:\windows\System32\mmsys.cpl
Description: Audio Control Panel
c:\windows\System32\ncpa.cpl
Description: Network Connections Control-Panel Stub
c:\windows\System32\pnupcli.cpl
Description: Provision Networks Print-IT Client Control Panel Applet
c:\windows\System32\powercfg.cpl
Description: Power Management Configuration Control Panel Applet
c:\windows\System32\sysdm.cpl
Description: System Applet for the Control Panel
c:\windows\System32\TabletPC.cpl
Description: Tablet PC Control Panel
c:\windows\System32\telephon.cpl
Description: Telephony Control Panel
c:\windows\System32\timedate.cpl
Description: Time Date Control Panel Applet
c:\windows\System32\wmdConn.cpl
Description: Windows Mobile Device Center
c:\windows\System32\wscui.cpl
Description: Security Center
c:\windows\System32\CCM\SMSCFGRC.cpl
Description: ConfigMgr Control Panel Applet
c:\windows\System32\CCM\SMSPDM.cpl
Description: SMS Program Download Monitor Applet
c:\windows\System32\CCM\SMSRAP.cpl
Description: SMS Run Advertised Program Applet
c:\windows\System32\CCM\clicomp\RemCtrl\smsrc.cpl
Description:
c:\windows\System32\DriverStore\FileRepository\kit22235.inf_56449196\igfxcpl.cpl
Description: igfxcpl Module
c:\windows\System32\DriverStore\FileRepository\winmobil.inf_1c3787bf\wmdConn.cpl
Description: Windows Mobile Device Center
c:\windows\System32\DriverStore\FileRepository\winmobil.inf_a7c8ce31\wmdConn.cpl
Description: Windows Mobile Device Center
c:\windows\System32\Speech\SpeechUX\sapi.cpl
Description: Speech UX Control Panel
c:\windows\system32\fvecpl.dll
Description: BitLocker Drive Encryption control panel

You can also launch control panel apps using control.exe:

control /name Microsoft.BitLockerDriveEncryption

There is a list of CPL's here:

HKLM\SOFTWARE\Microsoft\Windows\Current Version\Control Panel\Cpls

You can see the CLSID's under this registry key:

"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\Namespace"

Here is a dump of some CLSID's:

{00f2886f-cd64-4fc9-8ec5-30ef6cdbe8c3}
(Default) REG_SZ Scanner and Camera Control Panel{025A5937-A6BE-4686-A844-36FE4BEC8B6D}
{025A5937-A6BE-4686-A844-36FE4BEC8B6D}
(Default) REG_SZ Power Options
PreferredPlan REG_SZ 381b4222-f694-41f0-9685-ff5bb260df2e
{025A5937-A6BE-4686-A844-36FE4BEC8B6D}\HardwareOverride{0DF44EAA-FF21-4412-828E-260A8728E7F1}
{0DF44EAA-FF21-4412-828E-260A8728E7F1}
(Default) REG_SZ Taskbar and Start Menu{15eae92e-f17a-4431-9f28-805e482dafd4}
{15eae92e-f17a-4431-9f28-805e482dafd4}
(Default) REG_SZ Install New Programs{17cd9488-1228-4b2f-88ce-4298e93e0966}
{17cd9488-1228-4b2f-88ce-4298e93e0966}
(Default) REG_SZ Set User Defaults{2227A280-3AEA-1069-A2DE-08002B30309D}
{2227A280-3AEA-1069-A2DE-08002B30309D}
(Default) REG_SZ Printers{28803F59-3A75-4058-995F-4EE5503B023C}
{28803F59-3A75-4058-995F-4EE5503B023C}
(Default) REG_SZ Wireless Devices{335a31dd-f04b-4d76-a925-d6b47cf360df}
{335a31dd-f04b-4d76-a925-d6b47cf360df}
(Default) REG_SZ Backup and Restore Center{36eef7db-88ad-4e81-ad49-0e313f0c35f8}
{36eef7db-88ad-4e81-ad49-0e313f0c35f8}
(Default) REG_SZ Windows Update{37efd44d-ef8d-41b1-940d-96973a50e9e0}
{37efd44d-ef8d-41b1-940d-96973a50e9e0}
(Default) REG_SZ Windows Sidebar Properties{38A98528-6CBF-4CA9-8DC0-B1E1D10F7B1B}
{38A98528-6CBF-4CA9-8DC0-B1E1D10F7B1B}
(Default) REG_SZ View Available Networks{3e7efb4c-faf1-453d-89eb-56026875ef90}
{3e7efb4c-faf1-453d-89eb-56026875ef90}
(Default) REG_SZ Get Programs Online{4026492F-2F69-46B8-B9BF-5654FC07E423}
{4026492F-2F69-46B8-B9BF-5654FC07E423}
(Default) REG_SZ Windows Firewall{4299124F-F2C3-41b4-9C73-9236B2AD0E8F}
{4299124F-F2C3-41b4-9C73-9236B2AD0E8F}
(Default) REG_SZ Java{58E3C745-D971-4081-9034-86E34B30836A}
{58E3C745-D971-4081-9034-86E34B30836A}
(Default) REG_SZ Speech Recognition Options{5ea4f148-308c-46d7-98a9-49041b1dd468}
{5ea4f148-308c-46d7-98a9-49041b1dd468}
(Default) REG_SZ Mobility Center{60632754-c523-4b62-b45c-4172da012619}
{60632754-c523-4b62-b45c-4172da012619}
(Default) REG_SZ User Accounts{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}
(Default) REG_SZ Folder Options{74246bfc-4c96-11d0-abef-0020af6b0b7a}
{74246bfc-4c96-11d0-abef-0020af6b0b7a}
(Default) REG_SZ Device Manager{78CB147A-98EA-4AA6-B0DF-C8681F69341C}
{78CB147A-98EA-4AA6-B0DF-C8681F69341C}
(Default) REG_SZ CardSpace{78F3955E-3B90-4184-BD14-5397C15F1EFC}
{78F3955E-3B90-4184-BD14-5397C15F1EFC}
(Default) REG_SZ Performance Information and Tools{7A979262-40CE-46ff-AEEE-7884AC3B6136}
{7A979262-40CE-46ff-AEEE-7884AC3B6136}
(Default) REG_SZ Add New Hardware{7b81be6a-ce2b-4676-a29e-eb907a5126c5}
{7b81be6a-ce2b-4676-a29e-eb907a5126c5}
(Default) REG_SZ Programs and Features{8A6592C8-E790-4d19-899B-E95B2AD1AA7E}
{8A6592C8-E790-4d19-899B-E95B2AD1AA7E}
SapCreateKey REG_DWORD 0x0
(Default) REG_SZ SAP GUI Configuration{8E908FC9-BECC-40f6-915B-F4CA0E70D03D}
{8E908FC9-BECC-40f6-915B-F4CA0E70D03D}
(Default) REG_SZ Network and Sharing Center{9C60DE1E-E5FC-40f4-A487-460851A8D915}
{9C60DE1E-E5FC-40f4-A487-460851A8D915}
(Default) REG_SZ AutoPlay{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}
{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}
(Default) REG_SZ Sync Center Folder{A304259D-52B8-4526-8B1A-A1D6CECC8243}
{A304259D-52B8-4526-8B1A-A1D6CECC8243}
(Default) REG_SZ iSCSI Initiator{B2C761C6-29BC-4f19-9251-E6195265BAF1}
{B2C761C6-29BC-4f19-9251-E6195265BAF1}
(Default) REG_SZ Color Control Panel Applet{BB06C0E4-D293-4f75-8A90-CB05B6477EEE}
{BB06C0E4-D293-4f75-8A90-CB05B6477EEE}
(Default) REG_SZ System{CB1B7F8C-C50A-4176-B604-9E24DEE8D4D1}
{CB1B7F8C-C50A-4176-B604-9E24DEE8D4D1}
(Default) REG_SZ Welcome Center{D20EA4E1-3957-11d2-A40B-0C5020524152}
{D20EA4E1-3957-11d2-A40B-0C5020524152}
(Default) REG_SZ Fonts{D20EA4E1-3957-11d2-A40B-0C5020524153}
{D20EA4E1-3957-11d2-A40B-0C5020524153}
(Default) REG_SZ Administrative Tools{D2D91137-A6DF-4943-AB16-DB25776CD4EE}
{D2D91137-A6DF-4943-AB16-DB25776CD4EE}
(Default) REG_SZ SmartAudio{D555645E-D4F8-4c29-A827-D93C859C4F2A}
{D555645E-D4F8-4c29-A827-D93C859C4F2A}
(Default) REG_SZ Ease of Access{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}
{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}
(Default) REG_SZ Windows Defender{D9EF8727-CAC2-4e60-809E-86F80A666C91}
{D9EF8727-CAC2-4e60-809E-86F80A666C91}
(Default) REG_SZ Secure Startup{E7DE9B1A-7533-4556-9484-B26FB486475E}
{E7DE9B1A-7533-4556-9484-B26FB486475E}
(Default) REG_SZ Network Map{E95A4861-D57A-4be1-AD0F-35267E261739}
{E95A4861-D57A-4be1-AD0F-35267E261739}
(Default) REG_SZ Windows SideShow{ED834ED6-4B5A-4bfe-8F11-A626DCB6A921}
{ED834ED6-4B5A-4bfe-8F11-A626DCB6A921}
(Default) REG_SZ Personalization{FCFEECAE-EE1B-4849-AE50-685DCF7717EC}
{FCFEECAE-EE1B-4849-AE50-685DCF7717EC}
(Default) REG_SZ Problem Reports and Solutions

Use Logparser to send IIS logs to Syslog

Feed: Scriptorlog
Posted on: Thursday, February 17, 2011 2:26 PM
Author: iRobx
Subject: Use Logparser to send IIS logs to Syslog

Logparser is a very powerful framework for slicing and dicing various windows eventlogs as well as IIS and other text based logs. Here are some logparser command I found useful. This command shows your IIS log entries for the last hour displayed to the screen in paginated, tabular format:

LogParser "SELECT ∗ FROM WHERE TO_TIMESTAMP(date,time) > sub(SYSTEM_TIMESTAMP(),TIMESTAMP('0000-01-01 00:59:59','yyyy-MM-dd hh:mm:ss'))" -o:NAT

This command will send the same hours worth of IIS logs into a syslog server:

logparser "SELECT ∗ INTO @syslog-server FROM WHERE TO_TIMESTAMP(date,time) > sub(SYSTEM_TIMESTAMP(),TIMESTAMP('0000-01-01 00:59:59','yyyy-MM-dd hh:mm:ss'))" -o:SYSLOG -facility:logalert -hostName:syslog-server -processName:IIS:

A basic command usage to dump security messages to the screen in paginated, tabular format:

LogParser.exe -i:EVT "SELECT message FROM Security" -o:NAT