Skip to content
master
Go to file
Code

Latest commit

* Fixing comparison of NoneType in sorted() method.

* Updated README to reflect notes in Pulse Secure Advisory SA44101: https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101

* Attempt to resolve formatting issue for Pulse Secure clusters.

* Addresses issue6 "Allow check-your-pulse to run if .events log isn't collected."

- Allows check-your-pulse to run if no .events file is supplied.
- Allows check-your-pulse to run on any number of .events and .access files
- Fixes issue with check-your-pulse printing ips it comes across
- Fixes issue with display library, which would cause the spinner to continually print if the line length > terminal size.

* Addresses issue6 "Allow check-your-pulse to run if .events log isn't collected."

- Allows check-your-pulse to run if no .events file is supplied.
- Allows check-your-pulse to run on any number of .events and .access files
- Fixes issue with check-your-pulse printing ips it comes across
- Fixes issue with display library, which would cause the spinner to continually print if the line length > terminal size.

* Addresses issue8 - Minor bug fix in sorted() method of app, checks if object is datetime.datetime before comparisons are made.

Co-authored-by: William Deem <0345765387@hq.dhs.gov>
b4ba7c2

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
src
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

README.md

check-your-pulse

GitHub Build Status Coverage Status Total alerts Language grade: Python Known Vulnerabilities

This utility can help determine if indicators of compromise (IOCs) exist in the log files of a Pulse Secure VPN Appliance for CVE-2019-11510.

The Cybersecurity and Infrastructure Security Agency (CISA) has seen many organ izations breached despite patching their appliance because of Active Directory credentials (to include Domain Admin) harvested prior to patching. Details are available in Alert AA20-107A. This tool may help organizations locate exploitation attempts in their logs and assess their risk based on the results. If exploitation attempts are located p rior to the date of patch, it may be necessary to carefully watch for unauthori zed connections and perform a full domain password reset.

The IOCs included in this tool are TLP:WHITE. Adding more indicators from open- source or commercial vendors may improve the effectiveness of this tool.

The tool works by looking for IOCs (strings, Internet Protocol [IP] addresses, and user agents) associated with Threat Actors exploiting this vulnerability in the wild.

NOTE: check-your-pulse will alert on ANY IOCs it finds in the log files. If an IOC occurred after patch, it may be a false positive.

Requirements

Python versions 3.6 and above. Note that Python 2 is not supported.

Installation

PULSE SECURE SETUP

If unauthenticated logging was not enabled prior to patching, you will be rel iant on user agent strings and IPs, which are much less reliable indicators.

Detailed instructions regarding pulse secure setup can be found here.

CHECK-YOUR-PULSE

git clone https://github.com/cisagov/check-your-pulse.git
cd check-your-pulse

Usage

Download the logs from web console

Instructions can be found here for version 8.3 of the Pulse Connect Secure.

$ python3 ./app.py --path <path to .events and .access files, defaults to ./>

OUTPUT

Detailed usage information can be viewed with:

$ python3 ./app.py -h

usage: app.py [-h] [-r RAW] [-c CSV] [-j JSON] [-p PATH] [-n NUMEVENTS]

optional arguments:
  -h, --help            show this help message and exit
  -r RAW, --raw RAW     Dumps the output to a human readable file.
  -c CSV, --csv CSV     Writes output to a .csv file. Needs to be provided the
                        name to save as.
  -j JSON, --json JSON  Writes output to a .json file. Needs to be provided
                        the name to save as.
  -p PATH, --path PATH  Path to the folder containing .access and .events.
  -n NUMEVENTS, --numevents NUMEVENTS
                        Number of events to print in the quick summary
                        (default 10)

For more information about this vulnerability see: https://nvd.nist.gov/vuln/detail/CVE-2019-19781

Issues

If you have issues using the code, open an issue on the repository!

You can do this by clicking "Issues" at the top and clicking "New Issue" on the following page.

Contributing

We welcome contributions! Please see here for details.

License

This project is in the worldwide public domain.

This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.

All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.

Legal Disclaimer

NOTICE

This software package (“software” or “code”) was created by the United States G overnment and is not subject to copyright. You may use, modify, or redistribute the code in any manner. However, you may not subsequently copyright the code a s it is distributed. The United States Government makes no claim of copyright o n the changes you effect, nor will it will it restrict your distribution of bon a fide changes to the software. If you decide to update or redistribute the cod e, please include this notice with the code. Where relevant, we ask that you cr edit the Cybersecurity and Infrastructure Security Agency with the following st atement: “Original code developed by the Cybersecurity and Infrastructure Secur ity Agency (CISA), U.S. Department of Homeland Security.”

USE THIS SOFTWARE AT YOUR OWN RISK. THIS SOFTWARE COMES WITH NO WARRANTY, EITHE R EXPRESS OR IMPLIED. THE UNITED STATES GOVERNMENT ASSUMES NO LIABILITY FOR THE USE OR MISUSE OF THIS SOFTWARE OR ITS DERIVATIVES.

THIS SOFTWARE IS OFFERED “AS-IS.” THE UNITED STATES GOVERNMENT WILL NOT INSTALL , REMOVE, OPERATE OR SUPPORT THIS SOFTWARE AT YOUR REQUEST. IF YOU ARE UNSURE O F HOW THIS SOFTWARE WILL INTERACT WITH YOUR SYSTEM, DO NOT USE IT.

--

About

This utility can help determine if indicators of compromise (IOCs) exist in the log files of a Pulse Secure VPN Appliance for CVE-2019-11510.

Resources

License

Releases

No releases published

Packages

No packages published

Languages

You can’t perform that action at this time.