2016-03-16 05:05 AM
Hello,
Somobody has solution how I can transformate data from user.agent metakey (Log and Packet) to some like Device, OS, Application via Feed or LUA Parser? I found some FlexParser in RSA Live, but it is not I want. I found some site like Complete List of iOS User-Agent Strings | Enterprise iOS with DB of iPhone/iPad/IPod, but data is old and I can't create suitable Feed.
I found interesting progect GitHub - piwik/device-detector: The Universal Device Detection library will parse any User Agent and detect the browser,… and his web version Device Detector Demo
It is what I want, but how transformate it in LUA Parser or Feed?
2016-03-17 01:03 PM
The parser works greak! Thanks you so much!
I delete nw.logInfo strings... and change envisionName="useragent" to envisionName="user_agent" in the new table-map-custom.xml string.
2016-03-17 01:11 PM
Hello David,
PHP installed on the RSA Security Analytics by default? You solution is great, but if need additional Virtual Machine or Physical Server with PHP Web Server it can be problem. For example for me it is not applicable at this time. Solution should works on the current instance.
2016-03-17 01:21 PM
Okay I'll try and figure out how to run the php from the command line....
2016-03-17 02:08 PM
Success - here is a version that does not need a Webserver but you do need a server with PHP on it. This would need to be different from an Security Analytics Server as none of them have PHP installed on them and it is not available within our repository.
There is the wrapper script (./UserAgentInfoScript.sh) and the php script (script.php) it calls.
To run just run ./UserAgentInfoScript.sh (after changing the line to point to your broker)
I've attached a sample feed too and XML file to load the feed.
2016-03-18 03:48 AM
I will try install PHP on SA Server. I not have any other VM for this.
How I can filter out some user agent strings from sdk queue? For example I have many string like:
*bajbaaaagwbaaaabaaqpty3q9x9agtjzrlamh1dpu2jq5hnaaawjaiaajaa=
I would like filter out any user agent string if they not begin from [A-Za-Z] or [0-9].
Your sdk queue receive unique user agent string from which time slot? How often I should start this shell script via cron?
2016-03-18 05:23 AM
Hello
The command
http://192.168.123.249:50103/sdk?msg=values&fieldName=client&size=20000
gets all the values that are in the current index slice, so depending on how often your slices roll over will depend on how often your need to query. Hourly should be more than enough.
I would check how the values of
"bajbaaaagwbaaaabaaqpty3q9x9agtjzrlamh1dpu2jq5hnaaawjaiaajaa=" are getting into your user agent meta key, and then improve parser to drop these. If you cant clean up the parser and they are valid then you could amend the LUA parser to not write them. These sorts of strings are a hazard to Security Analytics as you can quickly end up exhausting all the value available in the particular meta key that is being written to.
I need to make a few changes to my script. Currently I just delete the old feed and then reprocess all the user agent strings again. What I will do is keep adding to the feed if no strings are received.
2016-03-18 05:32 AM
Now I faced with issue to start PHP scrip.
I install PHP 5.3.3 to SA Server from CentOS Base repo, but can't run script. I receive this error:
PHP Warning: require_once(vendor/autoload.php): failed to open stream: No such file or directory in /opt/device-detector-master/script.php on line 2
PHP Fatal error: require_once(): Failed opening required 'vendor/autoload.php' (include_path='.:/usr/share/pear:/usr/share/php') in /opt/device-detector-master/script.php on line 2
2016-03-18 06:08 AM
I would make sure that you follow the steps for the install of devicedetector and just check you can get that running first. Note I cant really support putting PHP on an SA Appliance....
2016-03-18 06:20 AM
Maybe we can use Device Detector Demo how external PHP server? I can't install PHP (need version >= 5.3.6 to DeviceDecoder) on the SA server. In CentOS-Base repo only 5.3.3.
2016-03-18 07:23 AM
I found solution how to install and update PHP and DeviceDetector on SA Server:
1. Install PHP on the SA Server (yum install php php-dom --enablerepo=base).
2. Install the EPEL repository configuration package (yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm)
3. Install the Remi repository configuration package (yum install http://rpms.remirepo.net/enterprise/remi-release-6.rpm)
4. Update php by command "yum --enablerepo=remi update php-\*"
5. Copy device-detector-master folder to /opt folder on the SA Server
6. Copy UserAgentInfoScript.sh to /opt/device-detector-maser folder
7. chmod +x UserAgentInfoScript.sh
8. Copy script.php to /opt/device-detector-maser folder
9. chmod +x script.php
10. Go to /opt/device-detector-maser folder on the SA Server and run "curl -sS https://getcomposer.org/installer | php"
11. Install Composer "php composer.phar install".
12. Disable or remove 3th party repo from /etc/yum.repos.d.
How I can merge OS name and OS version in one filed? I done this:
$UsefulInfo =(is_array($clientInfo) and is_array($osInfo)) and
(array_key_exists("name",$clientInfo) or
array_key_exists("version",$clientInfo) or
array_key_exists("name",$osInfo) or
array_key_exists("version",$osInfo) or
$brand or $model);
{
echo $argv[1];
echo "^";
if(array_key_exists("name",$clientInfo)) {echo $clientInfo["name"];}
echo " ";
if(array_key_exists("version",$clientInfo)) {echo $clientInfo["version"];}
echo "^";
if(array_key_exists("name",$osInfo)) {echo $osInfo["name"];}
echo " ";
if(array_key_exists("version",$osInfo)) {echo $osInfo["version"];}
echo "^";
echo $brand;
echo "^";
echo $model;
echo "\r\n";
}
But if version exist - all ok, if version dosn't exist - I have extra space (not good). And I have warnigs in console (after modification your script.php) like:
PHP Warning: array_key_exists() expects parameter 2 to be array, null given in /opt/device-detector-master/script.php on line 49