andrewallen.co.uk / … never assume you know enough.

Sandbox / Wiki now available

05-Mar-09

Well, this looks like the one year aniversary post… time flies :) Over the years I’ve kept my notes and bookmarks stored in various ways, and while trying to not duplicate content too much, I’ve simply not got around to posting new content to my blog. So, I’ve now decided to put up a (new) wiki, which I class as a sandbox, where I am now starting to drop content into – the idea being I can quickly post usable and interesting content (although don’t always expect ‘pretty’), with links and references to other parts of the inter-web. Although it is a wiki, it’s not available for public editing.

A few pages I’ve already started include, recommended articles (inc. Books, Magazines, Publications), blogs, conferences, podcasts, software (such as the obligatory list of Firefox extensions) and webcasts (inc. Videos), as well my research into how to automate Kaspersky’s Virus Removal Tool (AVPTool), and various Metasploit coolness. The Nokia E71, in my opinion is one of the most functional phones to date, so I’ve been compiling a list undocumented features and must-have software here.

I have also been putting together a kind of incident response / diagnostic support tool called DIAG.CMD, written in Batch (since on a Windows system, it’s the lowest common denominator). Any feedback on this would be most welcome :)

Filed in Blog | Tagged avptool, diag, incident response, metasploit, sandbox, wiki | Comments

Citrix Web Interface and the Fatal Execution Engine Error

13-Mar-08

Having recently been focused on a Citrix Presentation Server 4.5 migration, I took some time out to build a development 64-bit environment just to become familiar with any ‘gotchas’… This was a single, stand-alone Windows Server 2003 R2 Standard SP2 64-bit operating system, with the 64-bit Citrix Presentation Server 4.5 Enterprise Edition installed, running inside XenServer 4.1 RC7 XenServer 4.1 – I chose to install .NET Framework 3.5 (which includes the required .NET Framework 2.0) and JRE 1.5.0_09.

Additionally, I installed the following components onto the same box:

Citrix License Server 11.3 (inc. Microsoft Visual J# 2.0 )
Citrix Web Interface 4.6 (plus required Access Management Console Extension)

The following hotfixes were then applied to CPS:

Citrix Hotfix Rollup Pack PSE450W2K3X64R01.msp
Citrix Hotfix PSE450R01W2K3X64003.msp
Citrix Hotfix PSE450R01W2K3X64004.msp
Citrix Hotfix PSE450R01W2K3X64005.msp
Citrix Hotfix PSE450R01W2K3X64012.msp
Citrix Hotfix PSE450R01W2K3X64014.msp
Citrix Hotfix PSE450R01W2K3X64016.msp
Citrix Hotfix PSE450R01W2K3X64019.msp
Citrix Hotfix PSE450R01W2K3X64020.msp
Citrix Hotfix PSE450R01W2K3X64023.msp

As a side note, I had installation errors on the rollup, and hotfix 005, but all seems to be working ok… anyway, at some point post-installation the Web Interface decided to stop working. The following error was recorded in the application event log:

Event Type: Error
Event Source: .NET Runtime
Event Category: None
Event ID: 1023
Date: 13/03/2008
Time: 13:05:20
User: N/A
Computer: VM4
Description:
.NET Runtime version 2.0.50727.1433 – Fatal Execution Engine Error (79FFEE24) (80131506)

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Server reboots / iisresets had no effect, and after lots of Googling, it looked like there might be a specific .NET hotfix to address the issue (KB913384), however it was only applicable to an older version of the .NET Framework 2.0 – it is supposed to be included / resolved in SP1 (build 1433). Another google confirmed this. After much frustration from a lack of solutions on the Citrix forums / knowledge base, I ended up uninstalling .NET Framework completely (you have to uninstall 3.5, then 3.0 SP1, then 2.0 SP1 in that specific order), then reinstalling the .NET Framework 2.0 RTM (build 42).

Once I then re-installed Web Interface 4.6 (enabling 32-bit mode in the process, as prompted) and then deleted and re-added the existing site within the Access Management Console, it all sprang back into life. I’ve not yet re-patched .NET to see if it remains functional…

Update 1

The error has occured again:

Event Type: Error
Event Source: .NET Runtime
Event Category: None
Event ID: 1023
Date: 14/03/2008
Time: 08:18:27
User: N/A
Computer: VM4
Description:
.NET Runtime version 2.0.50727.42 – Fatal Execution Engine Error (7A05E2B3) (80131506)

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

This time, the only change I’ve made is to install the latest Citrix XenCenter console 4.1 RC7, which itself is .NET application. I ended up having to install the KB913384 fix, which this time was appliable to the version of .NET I had installed. I am going to do a bit more testing to see what is causing it to re-fail.

Update 2

And again…

Event Type: Error
Event Source: .NET Runtime
Event Category: None
Event ID: 1023
Date: 17/03/2008
Time: 10:55:32
User: N/A
Computer: VM4
Description:
.NET Runtime version 2.0.50727.63 – Fatal Execution Engine Error (7A05F093) (80131506)

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

This time I had installed and uninstalled Office 2007.

Filed in Blog | Tagged citrix presentation server, cps, hotfixes, license server, web interface, windows server 2003 r2 | Comments

Acronis True Image Echo Server on CentOS

09-Jan-08

I’ve used Acronis True Image on quite a large number of Windows systems over the years, as it is a very good product which has gradually expanded it’s (already impressive) feature set throughout that time. Just recently, I had the requirement to image a Linux system and so decided to trial the new Acronis True Image Echo Server on Linux – from what I found, there is no ‘workstation’ product for Linux like the True Image Home product for Windows, and so had to go for the server version instead. Specifically, I needed to backup a 64-bit CentOS 5.1 virtual machine running inside Citrx XenServer Express.

After registering for the trial version on Acronis.com, downloading the appropriate installation file and moving it into the VM, a quick ‘chmod +x TrueImageServerEcho_d_en.i686′ made the file ready for installation. The binary is suitable for 32-bit and 64-bit systems – no need for seperate installation files.

After kicking off the installation (’./TrueImageServerEcho_d_en.i686′), it was pretty much a next-next-finish affair, except I soon found I needed to have the kernel source files and gcc installed, for the installation program to correctly configure the SNAPAPI Module. A quick ‘yum install -y kernel-xen-devel gcc’ fixed the dependancy issue, and after re-run of the True Image installation file, all required software was now installed.

By the way, there was no documentation supplied with the downloaded installation file; I found out some of the information on the Acronis website, and also by browing the setup log file (/var/log/trueimage-setup.log).

Since I don’t generally use an X-Windows interface on *nix systems (much prefer the command line via SSH), I’ve now got to see how far I get with the console tools (’trueimagecmd’ and ‘trueimagemnt’)…

Filed in Blog | Tagged acronis true image, echo server, image home, linux system, virtual machine, workstation product, xen | Comments

Exporting logs from Check Point FireWall-1

01-Nov-07

I’ve recently been trying to improve a SOX process for analysing firewall activity, currently based on a manual daily check. As part of that work, I knocked together a quick batch file which can be used for automating the export of logs from Check Point FireWall-1, since by default, the logs generated are not readable as standard ascii text. The logs need to be exported using ‘fwm.exe logexport’, which outputs into a more readable CSV format, allowing you to carry out pre-processing of the data using other tools, such as the excellent fwlogsum.

@ECHO OFF & SETLOCAL ENABLEEXTENSIONS

:: "fw1export.cmd" (version 1.0, 01/11/2007)
:: by Andrew G. Allen, http://www.andrewallen.co.uk/

:: This work is licenced under a Creative Commons License.
:: Visit http://creativecommons.org/licenses/by/2.0/uk/ for more information.
 
:VARIABLES
 
SET v_SCRIPTDIR=D:\SCRIPTS
SET v_WORKINGDIR=%v_SCRIPTDIR%\FW1EXPORT
SET v_INPUTDIR=D:\WINNT\FW1\R60\fw1\log
SET v_FWM=D:\WINNT\FW1\R60\fw1\bin\v_FWM.exe

:END_VARIABLES

:: *** NO EDITING REQUIRED PAST THIS POINT *************************************

::       1         2         3         4         5         6         7         8
:: 45678901234567890123456789012345678901234567890123456789012345678901234567890

:CODE

IF NOT EXIST %v_SCRIPTDIR% MD %v_SCRIPTDIR%
IF NOT EXIST %v_WORKINGDIR% MD %v_WORKINGDIR%

DIR /B %v_INPUTDIR%\2007*.log | FIND /V "ptr" > %v_WORKINGDIR%\FW1EXPORT.TMP
FOR /F "TOKENS=1 DELIMS=" %%A IN (%v_WORKINGDIR%\FW1EXPORT.TMP) DO (
   IF NOT EXIST %v_WORKINGDIR%\%%A (
      %v_FWM% logexport -n -p -i %v_INPUTDIR%\%%A -o %v_WORKINGDIR%\%%A
   )
)
DEL /Q /F %v_WORKINGDIR%\FW1EXPORT.TMP

:END_CODE

You should setup the attached batch as a scheduled task to run once per day, once the logs have rotated.