SNMPTT let hex string sometimes - encoding

Here is a part of the snmptt log file :
Tue May 17 22:20:47 2016 .1.3.6.1.4.1.31023.1.1.1.0.1 Normal "Status Events" ssav02 - ef47e072-c8e1-46ef-8c70-645a69bdd489 Backup Job 1 Success
Tue May 17 23:00:03 2016 .1.3.6.1.4.1.1302.3.1.2.8.0.5 INFORMATIONAL "Status Events" ssav02 - User advised of event: 42 61 63 6B 75 70 20 45 78 65 63 3A 20 44 E9 62 75 74 20 64 75 20 74 72 61 76 61 69 6C Job:53 53 41 56 30 32 20 2D 20 53 61 75 76 65 67 61 72 64 65 20 56 65 65 61 6D 2D 43 6F 6D 70 6C E8 74 65 4C 65 20 74 72 61 76 61 69 6C 20 61 20 64 E9 6D 61 72 72 E9 2E
Wed May 18 01:04:03 2016 .1.3.6.1.4.1.1302.3.1.2.8.0.7 MINOR "Status Events" ssav02 - User advised of event: Backup Exec: Avertissement de travail
There associated to this :
EVENT onVmBackupCompleted .1.3.6.1.4.1.31023.1.1.1.0.2 "Status Events" Normal
FORMAT $*
EXEC /usr/local/nagios/libexec/eventhandlers/submit_check_result $2 "Backup Veeam" 0 "$2 : $4 ($5)"
SDESC
This trap is sent on vm backup/replica completed.
Variables:
1: backupJobName
2: vmName
3: sourceHostName
4: vmBackupResult
5: vmBackupComment
EDESC
EVENT jobStarted .1.3.6.1.4.1.1302.3.1.2.8.0.5 "Status Events" INFORMATIONAL
FORMAT User advised of event: $1 Job:$3 $4
EXEC /usr/local/nagios/libexec/eventhandlers/submit_check_result $r "Sauvegarde ${3}" 0 "User advised of event: $1 Job:$3 $4"
SDESC
The Job has started.
Variables:
1: messageText
2: serverName
3: jobName
4: additionalText
EDESC
EVENT jobWarning .1.3.6.1.4.1.1302.3.1.2.8.0.7 "Status Events" MINOR
FORMAT User advised of event: $1
EXEC /usr/local/nagios/libexec/eventhandlers/submit_check_result $r TRAP 1 "User advised of event: $1"
SDESC
The job has a warning.
Variables:
1: messageText
EDESC
As you can see, for some trap, the message is not properly encoded, and the message generated is indescriptible.
So why is my message sometime Hex-string encoded ? How to fix this ?

Related

Can someone tell me why I am getting this error, is it because of the spacing (I know quotations matter)? [closed]

Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 2 years ago.
Improve this question
create table product(
productid int,
description varchar(20)
);

insert into product (
productid,
description )
Values ( 42 , ' tv');
ERROR: column "description" of relation "product" does not exist
As several people pointed out in comments, there are invisible characters (sometimes called "gremlins") in your SQL that make it invalid. Here's a hex dump of the contents (after copying the code from the question, using macOS commands):
$ pbpaste | xxd -g1
00000000: 63 72 65 61 74 65 20 74 61 62 6c 65 20 70 72 6f create table pro
00000010: 64 75 63 74 28 0a 70 72 6f 64 75 63 74 69 64 20 duct(.productid
00000020: 69 6e 74 2c e2 80 a8 0a 64 65 73 63 72 69 70 74 int,....descript
^^ ^^ ^^ ^^^
00000030: 69 6f 6e 20 76 61 72 63 68 61 72 28 32 30 29 0a ion varchar(20).
00000040: 29 3b 0a e2 80 a8 69 6e 73 65 72 74 20 69 6e 74 );....insert int
00000050: 6f 20 70 72 6f 64 75 63 74 20 28 e2 80 a8 70 72 o product (...pr
00000060: 6f 64 75 63 74 69 64 2c e2 80 a8 64 65 73 63 72 oductid,...descr
^^ ^^ ^^ ^^^
00000070: 69 70 74 69 6f 6e 20 29 e2 80 a8 56 61 6c 75 65 iption )...Value
^^ ^^ ^^ ^^^
00000080: 73 20 28 20 34 32 20 2c 20 27 20 74 76 27 29 3b s ( 42 , ' tv');
00000090: 0a 45 52 52 4f 52 3a 20 20 63 6f 6c 75 6d 6e 20 .ERROR: column
000000a0: 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 6f 66 "description" of
000000b0: 20 72 65 6c 61 74 69 6f 6e 20 22 70 72 6f 64 75 relation "produ
000000c0: 63 74 22 20 64 6f 65 73 20 6e 6f 74 20 65 78 69 ct" does not exi
000000d0: 73 74 st
(Note that xxd represents bytes that don't correspond to printable ASCII characters as "." in the text display on the right. The "."s that correspond to 0a in hex are newline characters.)
The hex codes e2 80 a8 correspond to the UTF-8 encoding of the unicode "line separator" character. I don't know how that character got in there; you'd have to trace back the origin of that code snippet to figure out where they were added.
I'd avoid using TextEdit for source code (and config files, etc) . Instead, I'd recommend using BBEdit or some other code-oriented editor. I think even in BBEdit's free-demo mode it can show (and let you remove) normally-invisible characters by choosing View menu -> Text Display -> Show Invisibles.
You can also remove non-plain-ASCII characters from a text file from the macOS Terminal with:
LC_ALL=C tr -d '\n\t -~' <infile.txt >cleanfile.txt
(Replacing infile.txt and cleanfile.txt with the paths/names of the input file and where you want to store the output.) Warning: do not try to write the cleaned contents back to the original file, that won't work. Also, don't use this to clean anything except plain text files (if the file has any sections that aren't supposed to be text sections, this may mangle those sections). Keep the original file as a backup until you've verified that the "clean" version works right.
You can also "clean" the paste buffer with:
pbpaste | LC_ALL=C tr -d '\n\t -~' | pbcopy
...so just copy the relevant code from your text editor, run that in Terminal, then paste the cleaned version back into the editor.

Snort logs in OSSIM show hex in payload but I want only the text to be there. Is there a config I can change in Snort?

I am new to snort and I am testing things out with OSSIM. I've installed snort and using rsyslog I am getting snort alerts.log to OSSIM. But the thing is payloads of events in OSSIM show as
length = 219
000 : 31 31 2F 32 35 2F 31 39 2D 31 30 3A 30 34 3A 32 11/25/19-10:04:2
010 : 39 2E 37 38 30 31 32 34 20 20 5B 2A 2A 5D 20 5B 9.780124 [**] [
020 : 31 32 30 3A 31 38 3A 33 5D 20 28 68 74 74 70 5F 120:18:3] (http_
030 : 69 6E 73 70 65 63 74 29 20 50 52 4F 54 4F 43 4F inspect) PROTOCO
040 : 4C 2D 4F 54 48 45 52 20 48 54 54 50 20 73 65 72 L-OTHER HTTP ser
050 : 76 65 72 20 72 65 73 70 6F 6E 73 65 20 62 65 66 ver response bef
060 : 6F 72 65 20 63 6C 69 65 6E 74 20 72 65 71 75 65 ore client reque
070 : 73 74 20 20 5B 2A 2A 5D 20 5B 43 6C 61 73 73 69 st [**] [Classi
080 : 66 69 63 61 74 69 6F 6E 3A 20 55 6E 6B 6E 6F 77 fication: Unknow
090 : 6E 20 54 72 61 66 66 69 63 5D 20 5B 50 72 69 6F n Traffic] [Prio
0a0 : 72 69 74 79 3A 20 33 5D 20 7B 54 43 50 7D 20 31 rity: 3] {TCP} 1
0b0 : 39 32 2E 31 36 38 2E 30 2E 31 36 38 3A 38 30 38 92.168.0.168:808
0c0 : 30 20 2D 3E 20 31 39 32 2E 31 36 38 2E 30 2E 31 0 -> 192.168.0.1
0d0 : 32 32 3A 33 39 31 37 30 22 20 0A 22:39170" .
But I want it to be like
11/25/19-10:04:29.780124 [**] [120:18:3] (http_inspect) PROTOCOL-OTHER HTTP server response before client request [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 192.168.0.168:8080 -> 192.168.0.122:39170" .
Is there any config in snort I can change to make this happen?
Thanks in advance for any help!

Copying a CSV file from stdin throws "missing data for column"

I have some data that has been exported from postgres, reworked a bit using a spreadsheet and I know want the data back into a table, but I keep failing on the import:
cat extract.csv | psql -h 10.135.0.44 myapp myapp -f copy-user.sql`
psql:copy-user.sql:7: ERROR: missing data for column "email"
CONTEXT: COPY to_update, line 1: ""
The actual data is supplied below. I first converted the CSV file from DOS to Unix style line endings. It didn't seem to matter much.
copy-user.sql
COPY "to_update"
FROM STDIN
WITH DELIMITER ';' CSV;
extract.csv
bfb92e29-1d2c-45c4-b9ab-357a3ac7ad13;test#test90239023783457843.com;x
aeccc3ea-cc1f-43ef-99ff-e389d5d63b22;tester#testerkjnaefgjnwerg.no;x
9cec13ae-c880-4371-9b1c-dd201f5cf233;bloblo#gmail.com;x
aeada2bc-a362-4f3e-80f2-06a717206802;vet#gmail.com;x
fb85ddd8-7d17-4d41-8bc3-213b1e469506;navnnavnesen#ptflow.com;x
528e1f2e-1baa-483b-bc8c-85f993014696;kklk#hotmail.com;x
dbc8a9c1-56cf-4589-8b2c-cf1a2e0832ed;ghiiii#hotmail.com;x
fbf23553-baa2-410a-8f96-32b5c4deb0c7;lala#lala.no;x
e22ec0de-06f9-428a-aa3e-171c38f9a1f7;x2#gmail.com;x
8e8d0f73-8eb7-43b4-8019-b79042731b97;mail#mail.com;x
table definition for to_update
create table to_update(id text, email text, text char);
-- also tried this variant, but same error
-- create table to_update(id uuid, email text, text char);
EDIT: Additional info
It seems this exact same thing doesn't throw on my local machine:
$ cat extract.csv | psql postgres -f copy-user.sql
Timing is on.
Line style is unicode.
Border style is 2.
Null display is "[NULL]".
Expanded display is used automatically.
COPY 0
Time: 0.430 ms
It still doesn't work (as it just copies 0 rows), but at least it doesn't throw an error. That points to it being related to the environment (versions, locale settings, etc).
Local machine (which doesn't throw error)
$ psql --version
psql (PostgreSQL) 10.6
$ psql postgres -c "SHOW server_version;"
Timing is on.
Line style is unicode.
Border style is 2.
Null display is "[NULL]".
Expanded display is used automatically.
┌────────────────┐
│ server_version │
├────────────────┤
│ 10.6 │
└────────────────┘
(1 row)
Time: 40.960 ms
$ printenv | grep LC
LC_CTYPE=UTF-8
Remote server(s) (which throws error)
$ psql --version # this is the client, not the same physical server as the db
psql (PostgreSQL) 9.5.12
$ psql -h 10.135.0.44 myapp myapp -c "SHOW server_version;"
Password for user pete:
server_version
----------------
9.5.12
(1 row)
$ printenv | grep LC
LC_ALL=C.UTF-8
LC_CTYPE=UTF-8
LANG=C.UTF-8
Hex dump of extract.csv (all 7 lines)
$ wc -l extract.csv
10 extract.csv
$ hexdump -C extract.csv
00000000 62 66 62 39 32 65 32 39 2d 31 64 32 63 2d 34 35 |bfb92e29-1d2c-45|
00000010 63 34 2d 62 39 61 62 2d 33 35 37 61 33 61 63 37 |c4-b9ab-357a3ac7|
00000020 61 64 31 33 3b 74 65 73 74 40 74 65 73 74 39 30 |ad13;test#test90|
00000030 32 33 39 30 32 33 37 38 33 34 35 37 38 34 33 2e |239023783457843.|
00000040 63 6f 6d 3b 78 0a 61 65 63 63 63 33 65 61 2d 63 |com;x.aeccc3ea-c|
00000050 63 31 66 2d 34 33 65 66 2d 39 39 66 66 2d 65 33 |c1f-43ef-99ff-e3|
00000060 38 39 64 35 64 36 33 62 32 32 3b 74 65 73 74 65 |89d5d63b22;teste|
00000070 72 40 74 65 73 74 65 72 6b 6a 6e 61 65 66 67 6a |r#testerkjnaefgj|
00000080 6e 77 65 72 67 2e 6e 6f 3b 78 0a 39 63 65 63 31 |nwerg.no;x.9cec1|
00000090 33 61 65 2d 63 38 38 30 2d 34 33 37 31 2d 39 62 |3ae-c880-4371-9b|
000000a0 31 63 2d 64 64 32 30 31 66 35 63 66 32 33 33 3b |1c-dd201f5cf233;|
000000b0 62 6c 6f 62 6c 6f 40 67 6d 61 69 6c 2e 63 6f 6d |bloblo#gmail.com|
000000c0 3b 78 0a 61 65 61 64 61 32 62 63 2d 61 33 36 32 |;x.aeada2bc-a362|
000000d0 2d 34 66 33 65 2d 38 30 66 32 2d 30 36 61 37 31 |-4f3e-80f2-06a71|
000000e0 37 32 30 36 38 30 32 3b 76 65 74 40 67 6d 61 69 |7206802;vet#gmai|
000000f0 6c 2e 63 6f 6d 3b 78 0a 66 62 38 35 64 64 64 38 |l.com;x.fb85ddd8|
00000100 2d 37 64 31 37 2d 34 64 34 31 2d 38 62 63 33 2d |-7d17-4d41-8bc3-|
00000110 32 31 33 62 31 65 34 36 39 35 30 36 3b 6e 61 76 |213b1e469506;nav|
00000120 6e 6e 61 76 6e 65 73 65 6e 40 70 74 66 6c 6f 77 |nnavnesen#ptflow|
00000130 2e 63 6f 6d 3b 78 0a 35 32 38 65 31 66 32 65 2d |.com;x.528e1f2e-|
00000140 31 62 61 61 2d 34 38 33 62 2d 62 63 38 63 2d 38 |1baa-483b-bc8c-8|
00000150 35 66 39 39 33 30 31 34 36 39 36 3b 6b 6b 6c 6b |5f993014696;kklk|
00000160 40 68 6f 74 6d 61 69 6c 2e 63 6f 6d 3b 78 0a 64 |#hotmail.com;x.d|
00000170 62 63 38 61 39 63 31 2d 35 36 63 66 2d 34 35 38 |bc8a9c1-56cf-458|
00000180 39 2d 38 62 32 63 2d 63 66 31 61 32 65 30 38 33 |9-8b2c-cf1a2e083|
00000190 32 65 64 3b 67 68 69 69 69 69 40 68 6f 74 6d 61 |2ed;ghiiii#hotma|
000001a0 69 6c 2e 63 6f 6d 3b 78 0a 66 62 66 32 33 35 35 |il.com;x.fbf2355|
000001b0 33 2d 62 61 61 32 2d 34 31 30 61 2d 38 66 39 36 |3-baa2-410a-8f96|
000001c0 2d 33 32 62 35 63 34 64 65 62 30 63 37 3b 6c 61 |-32b5c4deb0c7;la|
000001d0 6c 61 40 6c 61 6c 61 2e 6e 6f 3b 78 0a 65 32 32 |la#lala.no;x.e22|
000001e0 65 63 30 64 65 2d 30 36 66 39 2d 34 32 38 61 2d |ec0de-06f9-428a-|
000001f0 61 61 33 65 2d 31 37 31 63 33 38 66 39 61 31 66 |aa3e-171c38f9a1f|
00000200 37 3b 78 32 40 67 6d 61 69 6c 2e 63 6f 6d 3b 78 |7;x2#gmail.com;x|
00000210 0a 38 65 38 64 30 66 37 33 2d 38 65 62 37 2d 34 |.8e8d0f73-8eb7-4|
00000220 33 62 34 2d 38 30 31 39 2d 62 37 39 30 34 32 37 |3b4-8019-b790427|
00000230 33 31 62 39 37 3b 6d 61 69 6c 40 6d 61 69 6c 2e |31b97;mail#mail.|
00000240 63 6f 6d 3b 78 0a |com;x.|
00000246
I think you want \copy ... from pstdin... on a single line. Both the starting backslash and pstdin instead of stdin are on purpose.
This mailing-list thread: psql -f COPY from STDIN explains the problem and the solution.
COPY FROM STDIN expects data inline after the COPY command, as in a dump file, not from the standard input of the psql process.
Relevant snippet from the mailing list summing up the alternatives
I'd like the store the COPY command in a separate file without
specifying an input file name. I want to feed it the data from the
shell script that calls psql
"STDIN: All rows are read from the same source that issued the
command"
- As I understand now, this applies to both COPY and \COPY. In other words the input file must contain command and data.
I have found a few solutions to achieve my objective:
1) using COPY FROM STDIN cat event.csv | psql -c "$(cat event.sql)"
2) using COPY FROM STDIN psql -f <(cat event.sql event.csv)
3) using \COPY FROM PSTDIN cat event.csv | psql -f event.sql
4) using \COPY FROM STDIN psql -f <(cat event.sql event.csv <(echo
"."))
What I don't like about \COPY is that it has to be on one line. Indeed
it can't be split over multiple lines
following works in my setup:
cat extract.csv | psql -d db_name -U user_name -c "copy to_update from stdin with delimiter ';' csv"
or
psql -d db_name -U user_name -c "\copy public.to_update(id, email, text) from '/path_to/extract.csv' with delimiter ';' csv"
With regards to the actual thrown error, after some debugging, I found that this error only happens with Postgres 9.5.12, not my local database running 10.6. That's using the exact same script in the sql file.
Postgres 9.5.12 doesn't handle multi-line COPY FROM STDIN statements! Deleting the newlines so that the entire expression was on a single line made it run. It still didn't work, though, as it still showed 0 rows being copied, but that is really a different question ... Krishna was onto something though ... I'll post a separate question for that and link it up.

Failed to start MongoDB with deployed

I will run deployed look here what dpd is on my server (Ubuntu 14.04).
I have installed every needed dependency.
When I try to run dpd I get the error starting deployd v0.7.0... Failed to start MongoDB.
So I tried DEBUG=* dpd -d and I get this
starting deployd v0.7.0...
mongod starting mongod +0ms
mongod <Buffer 32 30 31 34 2d 30 38 2d 30 35 54 31 31 3a 34 35 3a 32 30 2e 38 36 39 2b 30 32 30 30 20 5b 69 6e 69 74 61 6e 64 6c 69 73 74 65 6e 5d 20 4d 6f 6e 67 6f 44 ...> +28ms
mongod <Buffer 32 30 31 34 2d 30 38 2d 30 35 54 31 31 3a 34 35 3a 32 30 2e 38 37 31 2b 30 32 30 30 20 5b 69 6e 69 74 61 6e 64 6c 69 73 74 65 6e 5d 20 64 62 20 76 65 72 ...> +2ms
mongod <Buffer 32 30 31 34 2d 30 38 2d 30 35 54 31 31 3a 34 35 3a 32 30 2e 38 37 31 2b 30 32 30 30 20 5b 69 6e 69 74 61 6e 64 6c 69 73 74 65 6e 5d 20 67 69 74 20 76 65 ...> +0ms
mongod <Buffer 32 30 31 34 2d 30 38 2d 30 35 54 31 31 3a 34 35 3a 32 30 2e 38 39 30 2b 30 32 30 30 20 5b 69 6e 69 74 61 6e 64 6c 69 73 74 65 6e 5d 20 65 78 63 65 70 74 ...> +19ms
mongod <Buffer 32 30 31 34 2d 30 38 2d 30 35 54 31 31 3a 34 35 3a 32 30 2e 38 39 30 2b 30 32 30 30 20 5b 69 6e 69 74 61 6e 64 6c 69 73 74 65 6e 5d 20 64 62 65 78 69 74 ...> +1ms
mongod exit code 100 +2ms
Failed to start MongoDB
mongod error: 1 +1ms
mongod killing mongod +0ms
mongodb is running on my server correctly, because I can call mongo in Terminal and I get this
MongoDB shell version: 2.6.3
connecting to: test
>
I've had the same problem when using my deployd-app in a vagrant shared folder over NFS (network file system). MongoDB doesn't like to operate over NFS.
Performance problems arise when both the data files and the journal
files are hosted on NFS. You may experience better performance if you
place the journal on local or iscsi volumes. If you must use NFS, add
the following NFS options to your /etc/fstab file: bg, nolock, and
noatime.
http://docs.mongodb.org/manual/administration/production-notes/#remote-filesystems
Alternative: Try to run your app in a non-shared folder

using sed, how does one match square brackets in a character class?

Here's a chunk of the raw data:
00000000 54 6f 70 69 63 20 46 6f 72 75 6d 20 52 65 70 6c |Topic Forum Repl|
00000010 69 65 73 20 4c 61 73 74 20 70 6f 73 74 20 31 20 |ies Last post 1 |
00000020 4c 69 6e 75 78 20 54 6f 64 61 79 20 31 34 3a 34 |Linux Today 14:4|
00000030 36 3a 35 37 20 62 79 20 4c 69 6e 75 78 20 4f 75 |6:57 by Linux Ou|
00000040 74 6c 61 77 73 20 32 36 39 20 e2 80 93 20 53 6f |tlaws 269 ... So|
00000050 6d 65 6f 6e 65 20 4b 6c 6f 73 65 20 54 68 61 74 |meone Klose That|
00000060 20 4f 75 74 6c 61 77 73 20 32 38 20 73 79 73 79 | Outlaws 28 sysy|
00000070 70 68 75 73 2e 6a 6f 6e 65 73 20 48 6f 6c 65 20 |phus.jones Hole |
00000080 62 79 20 59 4f 42 41 20 5b 20 31 20 32 20 5d 20 |by YOBA [ 1 2 ] |
00000090 32 20 4c 69 6e 75 78 20 26 20 54 6f 64 61 79 20 |2 Linux & Today |
000000a0 31 31 3a 34 34 3a 35 31 20 62 79 20 4c 6f 6f 6b |11:44:51 by Look|
000000b0 73 20 6c 69 6b 65 20 43 61 6e 6f 6e 69 63 61 6c |s like Canonical|
000000c0 20 69 73 20 61 6e 6e 6f 75 63 69 6e 67 20 70 6c | is annoucing pl|
000000d0 61 6e 73 20 46 72 65 65 64 6f 6d 20 31 20 6b 72 |ans Freedom 1 kr|
It's a hex dump and I'm interested in isolating the text part.
Here's a sed expression that almost works:
$ sed 's/.* |\([a-zA-Z0-9:& \.]*\)|$/\1/g' hex.dat
Topic Forum Repl
ies Last post 1
Linux Today 14:4
6:57 by Linux Ou
tlaws 269 ... So
meone Klose That
Outlaws 28 sysy
phus.jones Hole
00000080 62 79 20 59 4f 42 41 20 5b 20 31 20 32 20 5d 20 |by YOBA [ 1 2 ] |
2 Linux & Today
11:44:51 by Look
s like Canonical
is annoucing pl
ans Freedom 1 kr
Almost. But how to filter that last line though?
$ sed 's/.* |\([a-zA-Z0-9:&\[\] \.]*\)|$/\1/g' hex.dat
And:
$ sed 's/.* |\([a-zA-Z0-9:&\\[\\] \.]*\)|$/\1/g' hex.dat
Don't work at all (they fail to translate anything).
And:
$ sed 's/.* |\([a-zA-Z0-9:&[] \.]*\)|$/\1/g' hex.dat
obviously can't work.
Thanks for any help.
You almost had it.
Look at this section of a Unix regular expressions tutorial.
The way that yours could be done is by placing ][ immediately after you begin your character class.
So, try sed 's/.* |\([][a-zA-Z0-9:& \.]*\)|$/\1/g' hex.dat
For clarification, it does not matter where in the character class the [ is, so long as the closing bracket you intend to include in your character class (]) immediately follows the opening of your character class.
Also, as a further edit, try typing man cut and using what Tomasz said in a comment.
cut -d='|' -f2 hex.dat will cut your file, delimiting on a pipe, and take the second field.