Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 16 replies
  • Subscribers 1 subscriber
  • Views 28963 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Duplicate IDs

marginos34

I just wanted to share the perl script i wrote to find duplciate unique IDs in Sophos. It scans the IIS logs looking for duplicate GUIDs.

#Stephen
#Check for Duplicates
use Data::Dumper;
$file = "\\\\sophos-c108-01\\W3SVC1\\u_ex110822.log";
my %hash = ();
my %hDup = ();
open FILE, $file or die $!;
while (<FILE>)
{ 
@data = ($_ =~ /(\b143\.55\.\d{1,3}\.\d{1,3}\b).*?(\b143\.55\.\d{1,3}\.\d{1,3}\b).*?(\{{0,1}[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\}{0,1})/);
#print $data[0] . "\n";
if ((exists $hash{$data[2]}) && ($hash{$data[2]} ne $data[1]))
{
if(not exists $hDup{$data[1]})
{
print $data[1] . "\n";
$hDup{$data[1]} = $data[1];
}
}
else
{
$hash{$data[2]} = $data[1];
}
}
close(FILE);

I have more info on my blog about it.

http://www.stephenjc.com/2011/08/23/sophos-duplicate-ids/

:20691


This thread was automatically locked due to age.
Parents
  • 0

    Hello PJ,

    As the analysis script is only one - crypted - line

    it's not crypted, it's a RegEx - just extracting the client's IP and ID. The log is not too hard to decode, there's a line starting with #Fields:, their names describing the contents (s - means server, c - client, cs - client to server and sc, well, you probably guess). Here's a short explanation of the log format:

    2012-12-31 23:00:25 W3SVC1
>>> timestamp and site
111.222.333.444 
>>> server IP
GET /InterChk/SophosUpdate/MUW/CIDs/S000/SAVSCFXP/master.upd -
>>> request, URI and (optional) query [- means: no query]  
80 
>>> server port
SophosUpdate
>>> authenticated user (- if there is none) [1]
111.222.333.400 
>>> client IP
SophosAutoUpdate/2.7.8.335.....)
>>> user agent string from the HTTP request header, details below 
200 0 0
>>> returncodes [2]

    [1] AutoUpdate makes each request first without authentication, so if one is required (as is usually the case) you get one line where this field is blank followed by an almost identical with the username from the updating policy

    [2] the first request fails with 401.2 (Unauthorized), the authenticated should return 200.

    Now let's look at the User Agent field in detail:

    SophosAutoUpdate/2.7.8.335+
>>> Component (AutoUpdate or SUM) and version [1]
SDDS/1.0+
>>> SDDS version
(u="SophosUpdate"+
>>> update user
c="a731ab2f-d2d5-41fb-8a1a-2fc9ab0fa58f")
>>> and the computer's ID (machine_ID)

     [1] for client updates the component is SophosAutoUpdate, for a downstream SUM accessing the Warehouse it is SophosUpdateManager

    The last item is the machine_ID. Unfortunately it does not necessarily map to the IdentityTag column in the database (please see machine_ID.txt - guid in the enterprise console). Thus you might see different IPs using the same machine_ID will still having their own entry in the database. Also note that if clients change their IP (e.g. switching from cable to WLAN) during the day you'll also get "fake duplicates". Of course the IP is meaningless if a proxy is involved.

    Dunno if this helps at all therefore - what exactly are you interested in?

    Christian

    :36955
Reply
  • 0

    Hello PJ,

    As the analysis script is only one - crypted - line

    it's not crypted, it's a RegEx - just extracting the client's IP and ID. The log is not too hard to decode, there's a line starting with #Fields:, their names describing the contents (s - means server, c - client, cs - client to server and sc, well, you probably guess). Here's a short explanation of the log format:

    2012-12-31 23:00:25 W3SVC1
>>> timestamp and site
111.222.333.444 
>>> server IP
GET /InterChk/SophosUpdate/MUW/CIDs/S000/SAVSCFXP/master.upd -
>>> request, URI and (optional) query [- means: no query]  
80 
>>> server port
SophosUpdate
>>> authenticated user (- if there is none) [1]
111.222.333.400 
>>> client IP
SophosAutoUpdate/2.7.8.335.....)
>>> user agent string from the HTTP request header, details below 
200 0 0
>>> returncodes [2]

    [1] AutoUpdate makes each request first without authentication, so if one is required (as is usually the case) you get one line where this field is blank followed by an almost identical with the username from the updating policy

    [2] the first request fails with 401.2 (Unauthorized), the authenticated should return 200.

    Now let's look at the User Agent field in detail:

    SophosAutoUpdate/2.7.8.335+
>>> Component (AutoUpdate or SUM) and version [1]
SDDS/1.0+
>>> SDDS version
(u="SophosUpdate"+
>>> update user
c="a731ab2f-d2d5-41fb-8a1a-2fc9ab0fa58f")
>>> and the computer's ID (machine_ID)

     [1] for client updates the component is SophosAutoUpdate, for a downstream SUM accessing the Warehouse it is SophosUpdateManager

    The last item is the machine_ID. Unfortunately it does not necessarily map to the IdentityTag column in the database (please see machine_ID.txt - guid in the enterprise console). Thus you might see different IPs using the same machine_ID will still having their own entry in the database. Also note that if clients change their IP (e.g. switching from cable to WLAN) during the day you'll also get "fake duplicates". Of course the IP is meaningless if a proxy is involved.

    Dunno if this helps at all therefore - what exactly are you interested in?

    Christian

    :36955
Children
No Data