3 Replies Latest reply on Aug 8, 2017 3:49 PM by rth67

    Remote File Tail / Copy from SIEM Receiver

    rth67

      Apparently there is a new security feature that is part of the 9.6.1 MR1 and 10.0.2 releases that does not allow the use of hidden shares when tailing / copying files, this was not disclosed in the Release Notes.

       

      According to the original feedback I received, somebody setup a File Copy to the C$ share and checked the box to "Delete processed files" and wiped out a Server.

       

      According to Tier3 / Engineering there is a Vulnerability in Linux that would allow an attacker full access to the remote hidden share, as Linux treats the $ differently than Microsoft does. We have requested a bug report and formal documentation.

       

      File Tailing does not have an option to delete files, please restore the functionality to remote tail files using a hidden share, we don't want to advertise "HERE ARE THE LOGS" by creating shares.

       

      I would hope you make the requirement for not using a hidden share only if you are doing a File Copy and you check the box to "Delete processed files"

       

      File Tail / Copy from the SIEM Receiver was introduced in version 9.6.0, previously you had to use a SIEM Collector Agent, guess I will be going back to a local agent if this does not get resolved.