Setup Your First Security Task
After you have setup and configured Scumblr, let's walk through how you can setup your first task. We use tasks in Scumblr to perform searches and syncs of data sources such as dns entries in Route53 or Github repositories, analysis of result data (static, dynamic, etc.) using security tasks, and other administrative functions (removing old events/logs from Scumblr, etc.) using maintenance tasks. More information on tasks can be found on the Tasks wikipage.
For this exercise, we'll work on setting up a task which will allow us to identify results which are disclosing an Apache banner.
For this example, we'll run an security task against an existing result within Scumblr. Results can be crated a number of ways in Scumblr as described below. For now, let's go ahead and create a result manually through the UI.
Click the "New Result" button found on the Results page. Next fill out the form including the Url and Title (they should match and include the FQDN).
You should now see the Result you just created:
Tasks can be used for a number of different functions in Scumblr. For this example, we are going to leverage the [https://github.com/Netflix/Scumblr2/wiki/Curl-Analyzer](Curl Analyzer) task. The Curl Analyzer security task can be used to perform a curl against a Result and search through http response for specific status codes or strings.
Navigate to the Tasks page and click the New Task button on the bottom of the page.
Next, select the Task Type from the dropdown menu (Curl Analyzer). Once you select the task, all of the task required and optional fields will be displayed.
Let's step through all of the configuration options you'll need to set for this exercise. It should be noted all fields contain a helpful tooltip if you are uncertain about the expected input:
For the sake of this example, we will just focus on the required fields:
Specify a name for your task, I suggest the task type and some useful context on the task (exp. Curl - Identify Apache Banners
A group is a collection of tasks that run asynchronously. Once all tasks in a Group complete, the next group executes. For this example, let's select Group 1.
Here we can specify the severity if this security task identifies a match. Since this is more of an observation as opposed to a low, medium, or high risk issue, let's set the severity type as observation.
This is where you can specify the curl command you'd like to run against Results. Scumblr needs to understand where to inject the Result url into the command, so use the result placeholder: $$result$$.
For an example, here is a curl command you can use which will give you verbose headers and follow redirects.
curl -i -s -k -L -X 'GET' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:42.0) Gecko/20100101 Firefox/42.0' '$$result$$'
Specify a string or a regular expression to match against the http response headers or body from the curl command executed against the result. For this example, let's set our string to Apache.
You should now be able to save the task.
You should now be able to run the task against all of your existing results. Click the Run Now button to trigger execution of the Task.
After the tasks completes, there are a number of ways you can review the results. Let's refresh the Task page we were currently on and take a look at the Task Execution Summary and Details sections:
This will show us if the task generated any errors or warning messages as well if it created any new results or updated existing results. We can see that a result was updated in the Task Execution Summary, so let's click that link.
We are now redirected to the Results view page. Let's click the drop down arrow on the left of the result to get an idea of what may have been identified. Click the Vulnerability accordion and expand out any findings.
We can now see that we identified a Server banner, and we see a snippet of source code around the match. We also see that the match occurred in the headers from the http response.
At this point, hopefully we have you hooked on how with a few clicks you can set up powerful proactive monitoring of your environment. We recommend you take a look at the videos in the 'common use cases' section .