execbeat icon indicating copy to clipboard operation
execbeat copied to clipboard
verified publisher icon christiangalsterer

Issue with command string and & and white spaces

Open cbarker001 opened this issue 8 years ago • 6 comments

Hello,

When trying to run a reg query command with execbeat, I am running into an issue were no matter how I try to escape the registry key with & and a white space in the path, the line is not being parsed correctly.

I see two issues, one with the command and one with the args.

The issue with the command line in the execbeat.yml commands: schedule: 10 * * * * command: cmd /c reg query 'HKEY_LOCAL_MACHINE\Software\key&stuff here' args: /s When checking the yaml file, the above lines are being parsed as: commands: args: /s command: "cmd /c reg query 'HKEY_LOCAL_MACHINE\Software\key&stuff here'" schedule: "10 * * * *"

However, the output when ran errors with the following. { "@timestamp": "2017-03-28T15:27:10.000Z", "beat": { "hostname": "somecomputer", "name": "somecomputer", "version": "3.1.1" }, "exec": { "command": "cmd /c reg query 'HKEY_LOCAL_MACHINE\Software\key\u0026stuff here'", "exitCode": 0, "stdout": "" }, "type": "execbeat" }

As you can see the & is getting parsed as \u0026. This happens with either single or double quotes.

To try and work around this issue, I modified the execbeat.yml file with the following: execbeat: commands: schedule: 10 * * * * command: cmd args: /c reg query 'HKEY_LOCAL_MACHINE\Software\key&stuff here' /s

When executing the execbeat with this, I get the following error: { "@timestamp": "2017-03-28T15:42:10.000Z", "beat": { "hostname": "somecomputer", "name": "somecomputer", "version": "3.1.1" }, "exec": { "command": "cmd", "exitCode": 1, "stderr": "ERROR: Invalid key name.\r\nType "REG QUERY /?" for usage.\r\n'stuff' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n", "stdout": "" }, "type": "execbeat"

I have tried both single and double quoting the args options to no avail.

I believe this to be a bug in how execbeat is parsing the YAML file's command and args lines.

cbarker001 avatar Mar 28 '17 15:03 cbarker001

Thanks for raising this issue. I will look into it the next days.

christiangalsterer avatar Mar 28 '17 17:03 christiangalsterer

Which version of execbeat do you use?

christiangalsterer avatar Mar 28 '17 17:03 christiangalsterer

The version I am using is 3.1.1.

Thanks!

cbarker001 avatar Mar 28 '17 19:03 cbarker001

This a general problem how config files are parsed by the beat lib/ golang itself. Not sure yet how to fix this and if possible in an easy way.

christiangalsterer avatar May 07 '17 11:05 christiangalsterer

I played around a little bit. When trying the first example, if works for me, except for the fact that the output has the wrong encoding. I debug and googled a little bit and the problem seem to be in the json Encoder (http://stackoverflow.com/questions/24656624/golang-display-character-not-ascii-like-not-0026)

As sending the event is done by beats framework I need to check if there is way to tweak the encoder in the beats framework.

christiangalsterer avatar May 07 '17 12:05 christiangalsterer

There is an open issue in the beats framework for this, see https://github.com/elastic/beats/issues/2581

christiangalsterer avatar May 07 '17 12:05 christiangalsterer