cancel
Showing results for 
Search instead for 
Did you mean: 
rth67
Level 12

Remote File Tail / Copy from SIEM Receiver

Apparently there is a new security feature that is part of the 9.6.1 MR1 and 10.0.2 releases that does not allow the use of hidden shares when tailing / copying files, this was not disclosed in the Release Notes.

According to the original feedback I received, somebody setup a File Copy to the C$ share and checked the box to "Delete processed files" and wiped out a Server.

According to Tier3 / Engineering there is a Vulnerability in Linux that would allow an attacker full access to the remote hidden share, as Linux treats the $ differently than Microsoft does. We have requested a bug report and formal documentation.

File Tailing does not have an option to delete files, please restore the functionality to remote tail files using a hidden share, we don't want to advertise "HERE ARE THE LOGS" by creating shares.

I would hope you make the requirement for not using a hidden share only if you are doing a File Copy and you check the box to "Delete processed files"

File Tail / Copy from the SIEM Receiver was introduced in version 9.6.0, previously you had to use a SIEM Collector Agent, guess I will be going back to a local agent if this does not get resolved.

0 Kudos
3 Replies
rth67
Level 12

Re: Remote File Tail / Copy from SIEM Receiver

There is a new patch for this issue, but I believe it is release specific, check with support.

We did have to re-format how we connected to the remote shares, and change from backslashes to forward slashes.

Previously we did something similar to this:

Share: c$\inetpub\logs

Path: (this was empty)

User Name: domain\user

Now with the patch installed it has to be formatted as follows:

Share: c$

Path: inetpub/logs

User Name: domain/user

0 Kudos
gelak
Level 7

Re: Remote File Tail / Copy from SIEM Receiver

I have the same issue...where can I find that patch?

thx,

Robert

0 Kudos
rth67
Level 12

Re: Remote File Tail / Copy from SIEM Receiver

You will have to contact support, the patch is specific to the version you are running.

0 Kudos