Extended signatures for BFI

rohit · October 19, 2018, 7:03pm

Has anyone working on creating extended signatures to look for version information in file contents? Here is the scenario i had.

There is a file on the server MYFILE.txt which contains “MYAPP_version=1.3”. I created an extended signature using below xml

<MultipleInstance>
	<Iterator export="true" name="INSTALL_PATH">
		<FindFilePathEx name="MYFILE.txt"/>
	</Iterator>
	<Instance>
		<Variable export="false" name="file_read">
			<ReadFile path="$(INSTALL_PATH)MYFILE.txt"/>
		</Variable>
		<Variable name="IS_INSTALLED">
			<Contains inputString="$(file_read)" position="contains" searchedString="MYAPP_version=1.3"/>
		</Variable>
		<Condition withVariable="IS_INSTALLED">
			<Action do="SKIP" onValue="false"/>
		</Condition>
	</Instance>
</MultipleInstance>

After creating this entry, I ran an import for distributing the catalog to endpoint and then ran a Software scan. However nothing is being discovered against the signature.
Is there something I am missing?

fermt · October 22, 2018, 1:28pm

@michalpaluch @Andrzej.Pietrzak Do you have any thoughts?

MichalPaluch · October 23, 2018, 7:13am

check catalog.xml file on endpoint, if it contains your signature
next check <EP_ID>_citlog.xml file which contains CIT error/warn log for sigantures, see if your signature was correctly evaluated

rohit · October 23, 2018, 3:50pm

I can see the signature in catalog.xml file on endpoint and the citlog.xml file does not how any errors for that signature guid. Does it have something to do with the .txt file used in the signature? _cit.xml.bz2 does not contain any matches.

fermt · October 23, 2018, 8:09pm

Also I tried running the command wscansw and I didn’t get any match.
I have used content provided by IBM in the BFI Catalog as template and it doesn’t work at all. What are we missing? Is there any documentation besides the User’s guide that we can review?

MichalPaluch · October 24, 2018, 9:10am

I just tested this signature and it works just fine. Here is what I did.

created my small test_catalog.xml, note I removed the condition just to be able to see it in output even if it fails (you can see content here: https://justpaste.it/3k1a7)
defined paths for CIT (if you do not do that you will see in error.txt Expression [FindFilePathEx] could not be resolved.)
LIBPATH="/opt/tivoli/cit/bin:$LIBPATH"
export LIBPATH
SHLIB_PATH="/opt/tivoli/cit/bin:$SHLIB_PATH"
export SHLIB_PATH
LD_LIBRARY_PATH="/opt/tivoli/cit/bin:$LD_LIBRARY_PATH"
export LD_LIBRARY_PATH
ran:
./wscansw -i test_catalog.xml -e error.txt -o out.txt -l MAX -c /var/opt/BESClient/LMT/CIT/sw_config.xml
If there is no MYFILE.txt on file system, you will see in max logs:
Signature [e6c4375b9bc14eb40a7f36f887443115] skipped because no instances are available.

However, if there is MYFILE.txt but content doesnt match, the out.txt contains:
https://justpaste.it/6ij62

If content matches:
https://justpaste.it/4p2rm

fermt · October 24, 2018, 2:36pm

Yeah, that works…

I’ll try now creating the signature in BFI and run a new scan to see how it goes…

rohit · October 24, 2018, 6:14pm

Yeah this is working for me too now. I was getting below error when i tried this on Windows

18/10/24 09:43:14 I [Plugin ] ReadFile::getScalarResult(Plug [85892] File: C:\Program Files\MYAPP\MYFILE.txt opened successfully (native mode)
18/10/24 09:43:14 I [Plugin ] ReadFile::getScalarResult::_fo [85892] ----------------------------------> ENTRY
18/10/24 09:43:14 I [Plugin ] ReadFile::getScalarResult::_fo [85892] <---------------------------------- EXIT
18/10/24 09:43:14 I [Plugin ] ReadFile::getScalarResult(Plug [85892] <-------------------------------- EXIT
18/10/24 09:43:14 I [XSE ] ExpressionShell::~ExpressionSh [85892] --------------------------------> ENTRY
18/10/24 09:43:14 I [XSE ] ExpressionShell::~ExpressionSh [85892] <-------------------------------- EXIT
18/10/24 09:43:14 I [XSE ] ProcessorUtility::evaluateVari [85892] Adding variable file_read value: ÿþM
18/10/24 09:43:14 I [XSE ] ProcessorUtility::evaluateVari [85892] <------------------------------ EXIT

MYFILE.txt contains the line “MYAPP_version=1.3” but i think the scanner was not able to read it because of the encoding. Once i fixed the encoding, signature matched.

rohit · October 24, 2018, 6:15pm

I am still trying to comprehend what the issue was with the original signature i used. The only difference i see is

<Condition withVariable="IS_INSTALLED">
			<Action do="SKIP" onValue="false"/>
		</Condition>

Was this creating the issue?

MichalPaluch · October 25, 2018, 7:09am

Nope, you should add it to the production siignature. I removed it only for test puropse, but in fact BFI expects only matched GUIDs in the output file, hence the condition.

Wandy · January 4, 2019, 11:21am

HI
I’m struck-ling with something similar to this:

I’m try to find a specific string in at file:

<MultipleInstance>
  <Iterator name="file_list" export="false">
    <FindFilePathEx name="tq.ini" />
  </Iterator>
  <Instance>
    <Variable name="file_read" export="false">
      <ReadFile path="$(file_list)tq.ini" />
    </Variable>
    <Variable name="IS_INSTALLED">
      <Compare type="string" relation="ne">
        <VectorToScalar>
          <Vector filter="Data">
          <ValueOf value="$(file_read)" />
          </Vector>
        </VectorToScalar>
        <ValueOf value="" />
      </Compare>
    </Variable>
    <Condition withVariable="IS_INSTALLED">
      <Action onValue="false" do="SKIP" />
    </Condition>
  </Instance>
</MultipleInstance>

and I try to test it with this:
/wscansw -i extended_signature_test_tq.xml -o output.xml -e warning.xml

the only output I get in both files is:

<?xml version="1.0" encoding="UTF-8"?>

the file is placed in:
/opt/teamquest/manager/etc/

and it contains this:
[Database]
Data Directory=/opt/teamquest/data

MichalPaluch · January 4, 2019, 11:44am

Try:

<MultipleInstance>
<Iterator export=“true” name=“INSTALL_PATH”>
<FindFilePathEx name=“tq.ini”/>
</Iterator>
<Instance>
<Variable export=“false” name=“file_read”>
<ReadFile path=“$(INSTALL_PATH)tq.ini”/>
</Variable>
<Variable name=“IS_INSTALLED”>
<Contains inputString=“$(file_read)” position=“contains” searchedString=“Data Directory=/opt/teamquest/data”/>
</Variable>
</Instance>
</MultipleInstance>

Wandy · January 4, 2019, 11:59am

Hi
thanks for the quick answer, but it give the same result, I have also tried with wildcards in the search string, but it’s the same.

MichalPaluch · January 4, 2019, 3:58pm

Can you try with debug logs, look at my example in above post form october, it will give us idea what is wrong

Wandy · January 7, 2019, 8:51am

Hi

Here is the output ran with the MAX switch.

max.out.bes (37.2 KB)

Wandy · January 8, 2019, 9:51am

Hi
the last uploaded file was NOT done with your input file, but this onmax_2.out.bes (36.6 KB)
e is and it comes with some errors.

Wandy · February 27, 2020, 8:36am

I’m bringing this issue up again, because i again ran into trouble getting the "wscansw " utility working for me.

I made a customm signature and try te test it , but the only output I get is ;

<?xml version="1.0" encoding="UTF-8"?>

I ran the wscansw wit debug and got this output:

https://justpaste.it/3ams8

Is there anyone who has a ide to what I’m doing wrong.

MichalPaluch · February 27, 2020, 9:14am

Can you share catalog file that you are using?

Wandy · February 27, 2020, 9:43am

'Yes i can ,but in this test I dont use the catalog file, I’m just trying to test the signature xml file, to se if it’s doing what I suspect,

Wandy · February 27, 2020, 10:16am

Hi
I’m trying to test this