Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 16 replies
  • Subscribers 1 subscriber
  • Views 28963 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Duplicate IDs

marginos34

I just wanted to share the perl script i wrote to find duplciate unique IDs in Sophos. It scans the IIS logs looking for duplicate GUIDs.

#Stephen
#Check for Duplicates
use Data::Dumper;
$file = "\\\\sophos-c108-01\\W3SVC1\\u_ex110822.log";
my %hash = ();
my %hDup = ();
open FILE, $file or die $!;
while (<FILE>)
{ 
@data = ($_ =~ /(\b143\.55\.\d{1,3}\.\d{1,3}\b).*?(\b143\.55\.\d{1,3}\.\d{1,3}\b).*?(\{{0,1}[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\}{0,1})/);
#print $data[0] . "\n";
if ((exists $hash{$data[2]}) && ($hash{$data[2]} ne $data[1]))
{
if(not exists $hDup{$data[1]})
{
print $data[1] . "\n";
$hDup{$data[1]} = $data[1];
}
}
else
{
$hash{$data[2]} = $data[1];
}
}
close(FILE);

I have more info on my blog about it.

http://www.stephenjc.com/2011/08/23/sophos-duplicate-ids/

:20691


This thread was automatically locked due to age.
Parents
  • 0

    Thanks VERY MUCH for this precise answer.

    We have a bunch of clones that keep appearing in the console under different names, at the same place, and we'd like to find all of them and apply the ID fix.

    When i said "crypted", I was joking like I can't decipher what the line of code is supposed to do (and I asked developer colleagues !).

    As for the log file, it seems what I have has not enough information. I searched through the whole log folder but there's no file that contains c="...".

    I even converted files to CSV to get data sorted by columns.

    The best piece of information I can get is :

    s-port cs-username c-ip                     cs(User-Agent)                                          sc-status

    80       -                        192.168.1.173 Microsoft-WebDAV-MiniRedir/6.1.7601 404

    Do I need to activate full logs somewhere ? Am I looking in the wrong place ?

    Thanks.

    PJ

    :36963
Reply
  • 0

    Thanks VERY MUCH for this precise answer.

    We have a bunch of clones that keep appearing in the console under different names, at the same place, and we'd like to find all of them and apply the ID fix.

    When i said "crypted", I was joking like I can't decipher what the line of code is supposed to do (and I asked developer colleagues !).

    As for the log file, it seems what I have has not enough information. I searched through the whole log folder but there's no file that contains c="...".

    I even converted files to CSV to get data sorted by columns.

    The best piece of information I can get is :

    s-port cs-username c-ip                     cs(User-Agent)                                          sc-status

    80       -                        192.168.1.173 Microsoft-WebDAV-MiniRedir/6.1.7601 404

    Do I need to activate full logs somewhere ? Am I looking in the wrong place ?

    Thanks.

    PJ

    :36963
Children
No Data