A few years ago I wrote some words about IBM SiteProtector. It was next version of IDS after RealSecure. I remembered that I used my SQL queries, which I have written myself for monitoring of security. But I had one problem with reading parameter URI from ISSED database (MSDE 2000). I mean this URI string appeared in database as Unicode. So it was as %D0%BA%D0%BE%D1 in my morning report. It doesn't readable on the fly.
This situation doesn't permit us to make quick analysis. So I decided to add Unicode-decoder in my code. I used JScript.
This is command line for OSQL-utility:
osql -n -E -d ISSED -i ev40.sql -o ev40.log -w 840
This is ev40.sql query code:
select
e.EventDate,
e.OrigEventName,
e.DisplaySrcIPAddress, e.DisplayDestIPAddress,
ep.EventID, ParamValue
from Events e, EventParams ep, EventDay d
where
e.EventID = ep.EventID and
e.OrigEventName like 'HTTP_%' and
d.DayID = e.DayID and
(ep.ParamName = ':URL' or
ep.ParamName = ':field_value'
or
ep.ParamName = ':arg')
and
ep.ParamValue like '%http%'
and
(d.CurrentDate = '09.13.2015')
And this is DecodeEv40.js for decode process.
/*******************************************************************/
/* Name: DecodeEv40.js */
/* Language: JScript */
/* Purpose: decode URI string in RealSecure events DB */
/*******************************************************************/
var FSO,F,F0, TextStream,TS, hname;
var ForReading = 1,
ForWriting = 2,
TristateUseDefault = -2;
FSO=WScript.CreateObject("Scripting.FileSystemObject");
FSO.CreateTextFile("ev40decode.log");
F=FSO.GetFile("ev40decode.log");
TextStream=F.OpenAsTextStream(ForWriting, TristateUseDefault);
F0=FSO.GetFile("ev40.log");
TS=F0.OpenAsTextStream(ForReading, TristateUseDefault);
TextStream.WriteLine(TS.ReadLine());
while (!TS.AtEndOfStream)
{
hname=TS.ReadLine();
try
{
hname = decodeURI(hname);
hname = decodeURI(hname);
hname = unescape(hname);
}
catch (e)
{
if (e != 0)
TextStream.WriteLine("Error during decode URI!");
}
TextStream.WriteLine(hname);
}
TS.Close();
TextStream.Close();
This is command line for run DecodeEv40.js:
cscript DecodeEv40.js
You should be surpise why I use two calls of DecodeURI function and one call of Unescape function. It was surprise for me too, but it works correctly.)
See you later.
No comments:
Post a Comment
А что вы думаете по этому поводу?