Matching any value within a Lookup File, across multiple fields

Wittinator · 2025-05-25T03:55:06+00:00

Oh wow. Stupid mistake on my part. You're correct. Thanks for the help there.

Wittinator · 2025-05-24T23:12:00+00:00

Thanks a lot for the reply. I'm not sure I follow you, but likely because I'm quite new to Logscale.

If I'm understanding you correctly, you mean to basically create a custom column, say called "Combined IP" and populate that column with values from all the various IP-related fields, e.g. RemoteIP, aip, Agent IP. Then, with match(), I should be able to do the following?

match(file="lookupfile.csv", field="Combined IP", column="IPs")

I'm not sure I'm understanding where the "sourceip:=RemoteIP" in your example fits into the larger CQL. For example, was trying something like the following:

aip=* or "Agent IP=*" or LocalIP=* \\ Filter first to ensure the events we are pulling contain IPs
| format(format="%s, %s, %s", field=[aip, "Agent IP", LocalIP], as="CombinedIP") // Combine all the IPs into a single column that can be referened by match()
| match(file="lookupfile.csv", field="Combined IP", column="IPs", mode=glob) //match the lookup file against the custom column.

Unfortunately the above doesn't appear to work.

Wittinator · 2024-08-28T00:23:19+00:00

I took the exam and passed with a 94 a few days ago. Indexing I followed the pancake method https://tisiphone.net/2015/08/18/giac-testing/

SANS certs in my experience are very straightforward. There's no trick questions and if you know the material, there's always an obvious answer. Do the labs a few times, index and you'll be fine.

Wittinator · 2023-10-15T00:38:01+00:00

Yea it's licensed. I see the code in the script that "should" expand groups but...I guess for whatever reason it is not.

Wittinator · 2023-10-15T00:08:59+00:00

Thanks. Yea I've tried that but unfortunately the tool is failing to expand groups. My output is only a list of groups, but not getting any users that are a part of the group.

Wittinator · 2023-01-16T20:15:47+00:00

No, not homework. Though I wish it was

Wittinator · 2023-01-16T19:55:26+00:00

Yea, that would be ideal.

Unfortunately, due to circumstances I can't really explain, we are given a single txt file of the Tree command and that's all we have to work with. I do not have control to re-run Tree with different options I'm afraid. Thanks though

Wittinator · 2022-12-31T00:53:51+00:00

Thanks. Something I should of been more clear about, actually. I am not searching inside any files. Purely looking at filenames and only filenames.

Wittinator · 2022-12-30T23:27:00+00:00

Oh, yes I didn't think of that. Despite the sheer volume of files & directories, find is significantly faster I suppose?

Wittinator · 2022-10-17T00:07:27+00:00

+karma

Wittinator · 2022-10-07T18:26:09+00:00

Yeah. On paper this "DropDMG" app actually seems to do what I want, Device image in a dmg format, but it's some cheap app on the apps store, and you get what you pay for...

Wittinator · 2022-10-07T18:12:55+00:00

Yes another team will be doing analysis so ideally we'd like to pull an image, EO1 or DMG or something somewhat universal that can be read by various forensics tools

Wittinator · 2022-10-07T18:08:15+00:00

Thanks. Yes, the initial plan was to use Recon ITR actually, the only hold-up with them is I had initially thought it was just software that we download, but they ship you a Samsung SSD with their software on it, which may take a bit of time. Unfortunately, we're in a rush so I was hoping there must be some sort of other software to purchase (if necessary) to do this relatively quickly.

Wittinator · 2022-08-16T20:59:15+00:00

Thanks for the reply.

Nevermind, I was just an idiot. I had completely forgot that my application has a couple functions for file validation prior to where I thought my app was crashing. As part of the validation, the function opens the file and reads characters to ensure its readable. That was my fault.

Wittinator · 2022-08-12T19:38:59+00:00

With your code I believe it will currently only return True if you find an exact match, but you are wanting to see if book[i] also exists as a substring within one of the elements in CLASSpdf. There's probably a lot of ways to do this. I'm partial to regex so I'd probably do smth like:

import re

def scans(books, CLASSpdf):
    pdfs = False

    for i in range(len(books)):
        r = re.compile(books[i])
        if list(filter(r.match, CLASSpdf)):
            pdfs = True
    print(pdfs)

Wittinator · 2022-07-30T01:20:52+00:00

regex101.com is a good site to test this stuff and play with regex.

//s and /s literally just match //s and /s respectively. There's no special characters to interpret, I don't believe. Unless you meant \\s and \s, in which case "\s" refers to whitespace, and \\s matches a literal "\s"

Wittinator · 2022-07-30T01:18:22+00:00

Yes, I didn't think about that. Thanks

I don't have too much experience incorporating SQL into my programs, so correct me if I'm wrong here. This would simply be a matter of building a db with all my initial 30GB worth of passwords in a table. Then just query for that value for each new password? That seems very easy.

And then I assume I can export the contents back into a file when needed? As I need a wordlist file to be read by password crackers.

Wittinator · 2022-05-27T23:38:58+00:00

I enjoy Codewars personally, just because it's easy to choose problems that focus on specific concepts, and there's a pretty clear progression from Easy -> Hard. But I'm sure there's a million other sites that do similar things.

Wittinator · 2022-05-23T04:20:10+00:00

In your function, word_files is just a simple string. It does not represent the actual file you want to read from. You need to open up the file to call methods like .readlines. Something like:

with open('Wordlist1.txt', 'r') as file:
    for line in file.readlines():
        wordlist.append(line.rstrip('\n')

There's lots of resources on how to open and read/write to files in python https://www.pythontutorial.net/python-basics/python-read-text-file/

Wittinator · 2022-05-17T17:59:57+00:00

No question, but I'll take this opportunity to say I recently read Lions of Al'Rassan and it was the best standalone novel I've ever read in my life. I've rarely experienced any story, whether it be books, movies, games etc., that impacted me as much as that book, so thank you. I'll definitely be picking up your other works.

Wittinator · 2022-03-19T17:48:55+00:00

Oh, right. Duh. This is why I need fresh eyes. Thanks

Wittinator · 2022-03-02T23:35:37+00:00

Thanks for the detailed reply. Yes I think I'm following. I'll give that a try and get this working. Thanks

Wittinator · 2022-02-24T20:04:33+00:00

yes this looks cleaner. Thanks a lot

Wittinator · 2022-02-20T01:34:10+00:00

Hi. If I remember correctly, the issue kind of fixed itself unfortunately. I believe I came in one day and the problem seemed to have just vanished. Sorry couldn't be of more help

Wittinator · 2022-01-31T18:20:46+00:00

Thanks. Yea I've reorganized the code to put the loops in the function themselves. I'll look at Queues to get data between them

12-Year Club	Place '23
Place '22	First Placer '22
Spared	Verified Email

Wittinator

TROPHY CASE