Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 16 replies
  • Subscribers 1 subscriber
  • Views 28961 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Duplicate IDs

marginos34

I just wanted to share the perl script i wrote to find duplciate unique IDs in Sophos. It scans the IIS logs looking for duplicate GUIDs.

#Stephen
#Check for Duplicates
use Data::Dumper;
$file = "\\\\sophos-c108-01\\W3SVC1\\u_ex110822.log";
my %hash = ();
my %hDup = ();
open FILE, $file or die $!;
while (<FILE>)
{ 
@data = ($_ =~ /(\b143\.55\.\d{1,3}\.\d{1,3}\b).*?(\b143\.55\.\d{1,3}\.\d{1,3}\b).*?(\{{0,1}[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\}{0,1})/);
#print $data[0] . "\n";
if ((exists $hash{$data[2]}) && ($hash{$data[2]} ne $data[1]))
{
if(not exists $hDup{$data[1]})
{
print $data[1] . "\n";
$hDup{$data[1]} = $data[1];
}
}
else
{
$hash{$data[2]} = $data[1];
}
}
close(FILE);

I have more info on my blog about it.

http://www.stephenjc.com/2011/08/23/sophos-duplicate-ids/

:20691


This thread was automatically locked due to age.
Parents
  • 0

    Hello PJ,

    now I've checked what I have on documentation available which is mostly my memory :smileywink:. Found that you can do without fiddling with the database if you choose a version with a backlevel RMS component (10.0 and 10.2 seem to be identical so it'd have to be 9.7).

    Just subscribe to the backlevel version, assign it to the "multiples" group and force compliance whenever you see the "Differs" in SEC. Sooner or later "new" computers should appear in the Unassigned group. Simply move them to the group(s) they should be in - they likely won't upgrade for a while due to reboot requirements but eventually they should be fine. Protection is not compromised during this time (if you use SCF they should be rebooted ASAP though).

    So maybe this helps. If not, you could still try fiddling with the database - for now I've decided to keep it for myself. Anyway I'll mention some basic queries related to this problem. Guess you don't have the SQL Management Studio installed. You can work with the database using SQLCMD from the (elevated) command prompt.

    sqlcmd -E -S <server>\<instance> -d <database> -Q "<query>"

     where <server>\<instance> is .\SOPHOS and <database> corresponds to your SEC version. <query> is the command (not necessarily a query) you want the database to perform.

    Thus to get the ID and IdentityTag for a certain computer name the query would be: 

    SELECT ID, Name, IdentityTag FROM dbo.ComputersAndDeletedComputers WHERE  Name ='name'

    Note the quotes, name is of course the one you currently see in SEC for one of the "multi" computers. If this returns nothing then meanwhile one of the other "instances" has reported to SEC (or you have mistyped the name) and you'd have to repeat the query with the "new" name. If it returns more than one line you have computer with identical names as well. Make note of the ID and IdentityTag and repeat the command now using  WHERE ID=id (note: no quotes!) several times. If more than one of the multi computers is active you will sooner or later get a different name (and also see the change in the console).

    That's it, HTH

    Christian

    :37033
Reply
  • 0

    Hello PJ,

    now I've checked what I have on documentation available which is mostly my memory :smileywink:. Found that you can do without fiddling with the database if you choose a version with a backlevel RMS component (10.0 and 10.2 seem to be identical so it'd have to be 9.7).

    Just subscribe to the backlevel version, assign it to the "multiples" group and force compliance whenever you see the "Differs" in SEC. Sooner or later "new" computers should appear in the Unassigned group. Simply move them to the group(s) they should be in - they likely won't upgrade for a while due to reboot requirements but eventually they should be fine. Protection is not compromised during this time (if you use SCF they should be rebooted ASAP though).

    So maybe this helps. If not, you could still try fiddling with the database - for now I've decided to keep it for myself. Anyway I'll mention some basic queries related to this problem. Guess you don't have the SQL Management Studio installed. You can work with the database using SQLCMD from the (elevated) command prompt.

    sqlcmd -E -S <server>\<instance> -d <database> -Q "<query>"

     where <server>\<instance> is .\SOPHOS and <database> corresponds to your SEC version. <query> is the command (not necessarily a query) you want the database to perform.

    Thus to get the ID and IdentityTag for a certain computer name the query would be: 

    SELECT ID, Name, IdentityTag FROM dbo.ComputersAndDeletedComputers WHERE  Name ='name'

    Note the quotes, name is of course the one you currently see in SEC for one of the "multi" computers. If this returns nothing then meanwhile one of the other "instances" has reported to SEC (or you have mistyped the name) and you'd have to repeat the query with the "new" name. If it returns more than one line you have computer with identical names as well. Make note of the ID and IdentityTag and repeat the command now using  WHERE ID=id (note: no quotes!) several times. If more than one of the multi computers is active you will sooner or later get a different name (and also see the change in the console).

    That's it, HTH

    Christian

    :37033
Children
No Data