Code Monkey home page Code Monkey logo

slack-watchman's People

Contributors

j-boivie avatar papermtn avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

biddellns jack51706 adampielak exceltior sharad1126 keshabb mmg1 jonz-secops tolidano polling-repo-continua reanimat0r t3chn0m4g3 n1f2c3 ducthinh993 vinnyvinoth phitheta dtmrc jsulbaran p3t3rp4rk3r fncastagna ax-mlee ari-wein sumeetit bpemmadi-cr timothysmith3 cbennett-ripple zha0 w3llr00t3d petrusandhyprabowo xaviercho 5l1v3r1 sunilgmadisetti neongreenplants rossja darksidesfear

slack-watchman's Issues

'NoneType' object has no attribute 'get'

Version 3.0.7

Running sudo slack-watchman --pii --timeframe a

Importing rules...
40 rules loaded
Searching PII/Personal Data
Searching for posts containing Drivers Licence Numbers (UK)
'NoneType' object has no attribute 'get'

Running sudo slack-watchman --financial --timeframe a

Importing rules...
40 rules loaded
Searching financial data
Searching for posts containing IBAN Numbers
'NoneType' object has no attribute 'get

Running sudo slack-watchman --tokens --timeframe a

Importing rules...
40 rules loaded
Searching tokens
Searching for posts containing Client Secrets
'NoneType' object has no attribute 'get'

Any Ideas on how to fix?

Custom Rules

Hi,
Can you provide an example of how to call an example rule.

I created a rule, changed the category.
then ran slack-watchman --custom <catname> --timeframe a
recieved: slack-watchman: error: unrecognized arguments:

Thanks

No output .CSV file

Hey There,

The following does not output to a .csv file to see results, only the number found.
--pii
--tokens
--financial

Can you assist please??

Thanks!

Enhancement - App Permissions

Hi,
Is is possible to get a report on the apps installed (any details that go with that) and their permissions?
Reason being some apps may have overly permissive permissions and it would be good to know which ones.

Other things I can think:
User details - some PII in user details such as phone numbers/skype etc.

Anyway, loving this app. Its currently helping me loads with a task Ive been given.

Error on incorrect scope

When the Slack app associated with the token does not have a required scope attached to it Slack Watchman fails.

Getting error 'encoding' is an invalid keyword argument for this function

I have installed slack-watchman. As soon as i run slack-watchman --timeframe a --all watchman starts but gives error.

Version: 2.3.1

Searching workspace: ****
Workspace URL: https://*****.com/

Getting everything...
+++++++++++++++++++++
Getting users
+++++++++++++++++++++
Getting channels
+++++++++++++++++++++
Getting admin users
+++++++++++++++++++++
'encoding' is an invalid keyword argument for this function

Please let me now how can we fix this.

Python version used - Python 2.7.16

JSON is broken

When exporting results to JSON, any message that itself has quote marks in results in broken JSON. For example:

{"timestamp": "2023-06-14 15:02:29,374", "level": "WORKSPACE", "message": "{"name": "Slack Team", "domain": "slack-team", "url": "https://slack-team.slack.com/", "email_domain": "", "is_verified": true, "discoverable": "open"}"}

What I'm hopeful for: that messages that are printed out to JSON escape quote marks before they're logged.

File based rules - "posted_by" left blank

When posting files I noticed that posted_by is left blank:

{"localtime": "2020-09-19 23:40:05,824", "level": "NOTIFY", "source": "Slack Watchman", "workspace": "DevCorner", "scope": "files", "detection.type": "Executable Files", "severity": "30", "detection": {"created": 1600372359, "file_id": "F01B9QV2EKT", "file_type": "binary", "mimetype": "application/octet-stream", "name": "balenaEtcher-1.5.102.dmg", "permalink": "https://slackoverloadgroup.slack.com/files/U019SN08GQP/F01B9QV2EKT/balenaetcher-1.5.102.dmg", "posted_by": "", "preview": null, "timestamp": "2020-09-16 19:27:39"}}

I am not sure if that is intentional since all file based rules seem to behave the same way. The username should be catched as with other detection rules.

Broken JSON

When logging to STDOUT I noticed the JSON formatting is broken, at least according to logstash.

Example...

{"localtime": "2020-09-17 14:05:39,943", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: ".dmg""}
{"localtime": "2020-09-17 14:05:40,315", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: ".iso""}
{"localtime": "2020-09-17 14:05:40,963", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: ".pkg""}
{"localtime": "2020-09-17 14:05:41,478", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: ".pptx""}
{"localtime": "2020-09-17 14:05:41,918", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: ".pptm""}
{"localtime": "2020-09-17 14:05:43,636", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: ".ppt""}
{"localtime": "2020-09-17 14:05:44,004", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: ".conf""}
{"localtime": "2020-09-17 14:05:44,445", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: ".ini""}
{"localtime": "2020-09-17 14:05:44,856", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: ".openvpn""}
{"localtime": "2020-09-17 14:05:45,268", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: ".cscfg""}
{"localtime": "2020-09-17 14:05:45,780", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: ".rdp""}
{"localtime": "2020-09-17 14:05:46,363", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: ".jks""}
{"localtime": "2020-09-17 14:05:46,804", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: ".psafe3""}
{"localtime": "2020-09-17 14:05:47,520", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: ".agilekeychain""}
{"localtime": "2020-09-17 14:05:48,135", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: ".keychain""}
{"localtime": "2020-09-17 14:05:48,541", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: ".kwallet""}
{"localtime": "2020-09-17 14:05:48,912", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: ".tblk""}
{"localtime": "2020-09-17 14:59:34,192", "level": "INFO", "source": "Slack Watchman", "message": "2 messages found matching: "password:"*"}
{"localtime": "2020-09-17 14:59:34,953", "level": "INFO", "source": "Slack Watchman", "message": "2 messages found matching: "password is"*"}

Should be escaped like this and logstash can work with it...

{"localtime": "2020-09-17 14:05:39,943", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: \".dmg\""}
{"localtime": "2020-09-17 14:05:40,315", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: \".iso\""}
{"localtime": "2020-09-17 14:05:40,963", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: \".pkg\""}
{"localtime": "2020-09-17 14:05:41,478", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: \".pptx\""}
{"localtime": "2020-09-17 14:05:41,918", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: \".pptm\""}
{"localtime": "2020-09-17 14:05:43,636", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: \".ppt\""}
{"localtime": "2020-09-17 14:05:44,004", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: \".conf\""}
{"localtime": "2020-09-17 14:05:44,445", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: \".ini\""}
{"localtime": "2020-09-17 14:05:44,856", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: \".openvpn\""}
{"localtime": "2020-09-17 14:05:45,268", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: \".cscfg\""}
{"localtime": "2020-09-17 14:05:45,780", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: \".rdp\""}
{"localtime": "2020-09-17 14:05:46,363", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: \".jks\""}
{"localtime": "2020-09-17 14:05:46,804", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: \".psafe3\""}
{"localtime": "2020-09-17 14:05:47,520", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: \".agilekeychain\""}
{"localtime": "2020-09-17 14:05:48,135", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: \".keychain\""}
{"localtime": "2020-09-17 14:05:48,541", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: \".kwallet\""}
{"localtime": "2020-09-17 14:05:48,912", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: \".tblk\""}
{"localtime": "2020-09-17 14:59:34,192", "level": "INFO", "source": "Slack Watchman", "message": "2 messages found matching: \"password:\"*"}
{"localtime": "2020-09-17 14:59:34,953", "level": "INFO", "source": "Slack Watchman", "message": "2 messages found matching: \"password is\"*"}

According to the code it looks like the double quotes are inherited from the rules, so I do not know if there is a quick fix to this. It's probably minor, however nice if someone wants to get some stats out of it ๐Ÿ˜„

Can't see message information

Describe the bug

Hi, I can't see any info (user, content) of the messages that are suspected. I haven't found any docs or additional options on it.

To Reproduce

docker run --rm --platform linux/x86_64 papermountain/slack-watchman --timeframe d --all --output json --cookie --debug --verbose

Expected behaviour

Information pointing to the message and its author included in the logs, as shown in a screenshot on the website.

image

Actual behaviour

No info about the message found in the logs.

{"timestamp": "2023-07-21 09:53:42,218", "level": "INFO", "message": "Searching for PII and Secrets"}
{"timestamp": "2023-07-21 09:53:42,219", "level": "INFO", "message": "Searching for posts containing Passwords"}
{"timestamp": "2023-07-21 09:53:43,338", "level": "INFO", "message": "1 potential matches found"}
{"timestamp": "2023-07-21 09:53:43,341", "level": "INFO", "message": "No matches found after filtering"}
{"timestamp": "2023-07-21 09:53:43,371", "level": "INFO", "message": "Searching for posts containing Twitter API Tokens"}

Desktop (please complete the following information):

  • OS: macOS

Support getting Slack token from args/env var

It would be really nice if it was possible to get the slack token through another method than a file, such as a CLI arg or environment variable, f.ex. for running this unsupervised in a container or similar.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.