REX for HTML

hartfoml — Wed, 14 Dec 2011 16:25:41 GMT

I have HTML like this:

<pluginName>Microsoft Windows SMB Shares Unprivileged Access</pluginName>

I can get the Plugin name using REX like this:

rex "(?i)<PluginName>(?P<Vunerability_Name>[^<]+)"

In the _raw event there are more than one PluginName per event so I can use this command:

| rex max_match=100 "(?i)<PluginName>(?P<Vunerability_Name>[^<]+)" |

My question is How do I write this to the props.conf File. I tried this and it didn't work

EXTRACT-Vunerability_Name = max_match=100 (?i)<PluginName>(?P<Vunerability_Name>[^<]+)

Re: REX for HTML

MHibbin — Wed, 14 Dec 2011 16:36:07 GMT

Instead of using the max_match=100 can you try using "(?im)"...

So you could test your rex command using...

| rex max_match=100 "(?im)<PluginName>(?P<Vunerability_Name>[^<]+)" |

and you props should be...

EXTRACT-Vunerability_Name = (?im)<PluginName>(?P<Vunerability_Name>[^<]+)

I believe this will work.

If it answers your question can you mark the answer as accepted to help the community.

Regards,

MHibbin

Re: REX for HTML

hartfoml — Wed, 14 Dec 2011 17:20:59 GMT

The REX test worked but the EXTRACT did not.

When I took out the max_match=100 from the rex command I did not find all the matches in the events.

I will post a larger sample of the event data.

Re: REX for HTML

hartfoml — Wed, 14 Dec 2011 17:29:30 GMT

I can not correctly post the sample

<ReportItem>
<port>www (443/tcp)</port><severity>2</severity>
<pluginID>51192</pluginID>
<pluginName>SSL Certificate signed with an unknown Certificate Authority</pluginName>
<data>Synopsis :\n\nThe SSL certificate for this service is signed by an unknown\ncertificate authority.\n\nDescription :\n\nThe X.509 certificate of the remote host is not signed by a known\npublic 
certificate authority.  If the remote host is a public host in\nproduction, this nullifies the use of SSL as anyone could establish a\nman in the middle attack against the remote host.\n\nSolution :\n
\nPurchase or generate a proper certificate for this service.\n\nRisk factor :\n\nMedium / CVSS Base Score : 6.4\n(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)\n\n\nPlugin output :\n*** ERROR: Unknown root
CA in the chain:\nCountry: US\nCommon Name: 192.168.125.253\n\n\n\nCertificate chain:\n|-Country: US\n|-Common Name: 192.168.125.253\n|\n\n\n</data></ReportItem>
<ReportItem>
<port>www (443/tcp)</port><severity>2</severity>
<pluginID>26928</pluginID>
<pluginName>SSL Weak Cipher Suites Supported</pluginName>
<data>Synopsis :\n\nThe remote service supports the use of weak SSL ciphers.\n\nDescription :\n\nThe remote host supports the use of SSL ciphers that offer either weak\nencryption or no encryption at 
all.\n\nNote: This is considerably easier to exploit if the attacker is on the\nsame physical network.\n\nSee also :\n\nhttp://www.openssl.org/docs/apps/ciphers.html\n\nSolution :\n\nReconfigure the 
affected application if possible to avoid use of weak\nciphers.\n\nRisk factor :\n\nMedium / CVSS Base Score : 4.3\n(CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)\n\n\nPlugin output :\nHere is the list of weak 
SSL ciphers supported by the remote server :\n\n  Low Strength Ciphers (&lt; 56-bit key)\n    SSLv3\n      EXP-EDH-RSA-DES-CBC-SHA    Kx=DH(512)    Au=RSA     Enc=DES(40)        Mac=SHA1   
export     \n      EXP-DES-CBC-SHA            Kx=RSA(512)   Au=RSA     Enc=DES(40)        Mac=SHA1   export     \n      EXP-RC2-CBC-MD5            Kx=RSA(512)   Au=RSA     Enc=RC2(40)        
Mac=MD5    export     \n      EXP-RC4-MD5                Kx=RSA(512)   Au=RSA     Enc=RC4(40)        Mac=MD5    export     \n    TLSv1\n      EXP-EDH-RSA-DES-CBC-SHA    Kx=DH(512)    Au=RSA 
Enc=DES(40)        Mac=SHA1   export     \n      EXP-DES-CBC-SHA            Kx=RSA(512)   Au=RSA     Enc=DES(40)        Mac=SHA1   export     \n      EXP-RC2-CBC-MD5            Kx=RSA(512)   
Enc=DES(40)        Mac=SHA1   export     \n      EXP-DES-CBC-SHA            Kx=RSA(512)   Au=RSA     Enc=DES(40)        Mac=SHA1   export     \n      EXP-RC2-CBC-MD5            Kx=RSA(512)   
ciphername}\n  Kx={key exchange}\n  Au={authentication}\n  Enc={symmetric encryption method}\n  Mac={message authentication code}\n  {export flag}\n\n\nOther references : 
CWE:327,CWE:326,CWE:753,CWE:803,CWE:720\n</data></ReportItem>
<ReportItem>
<port>www (443/tcp)</port><severity>2</severity>
<pluginID>42873</pluginID>
<pluginName>SSL Medium Strength Cipher Suites Supported</pluginName>
<data>Synopsis :\n\nThe remote service supports the use of medium strength SSL ciphers.\n\nDescription :\n\nThe remote host supports the use of SSL ciphers that offer medium\nstrength encryption, 
which we currently regard as those with key \nlengths at least 56 bits and less than 112 bits.\n\nNote: This is considerably easier to exploit if the attacker is on the\nsame physical network.\n\nSolution :\n
\nReconfigure the affected application if possible to avoid use of\nmedium strength ciphers.\n\nRisk factor :\n\nMedium / CVSS Base Score : 4.3\n(CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)\n\n\nPlugin 
output :\nHere is the list of medium strength SSL ciphers supported by the remote server :\n\n  Medium Strength Ciphers (&gt;= 56-bit and &lt; 112-bit key)\n    SSLv3\n      EDH-RSA-DES-CBC-SHA        
Kx=DH         Au=RSA     Enc=DES(56)        Mac=SHA1   \n      DES-CBC-SHA                Kx=RSA        Au=RSA     Enc=DES(56)        Mac=SHA1   \n    TLSv1\n      EDH-RSA-DES-CBC-SHA        
Kx=DH         Au=RSA     Enc=DES(56)        Mac=SHA1   \n      DES-CBC-SHA                Kx=RSA        Au=RSA     Enc=DES(56)        Mac=SHA1   \n\nThe fields above are :\n\n  {OpenSSL 
ciphername}\n  Kx={key exchange}\n  Au={authentication}\n  Enc={symmetric encryption method}\n  Mac={message authentication code}\n  {export flag}\n\n\n</data></ReportItem>

Re: REX for HTML

MHibbin — Wed, 14 Dec 2011 17:31:16 GMT

This does not show anything, can you not edit your answer and add the text in `` (backticks)

Re: REX for HTML

hartfoml — Wed, 14 Dec 2011 17:43:36 GMT

As you can see by the sample

shows up three times in the same event

Re: REX for HTML

hartfoml — Wed, 14 Dec 2011 17:46:59 GMT

Using the max_match= I get all three but not with the (?im)

topic REX for HTML in Getting Data In

REX for HTML

Re: REX for HTML

Re: REX for HTML

Re: REX for HTML

Re: REX for HTML

Re: REX for HTML

Re: REX for HTML