Wget creates a HSTS log file in a user’s home directory. This can contain forensically relevant information.
name: Linux.Applications.WgetHSTS
description: |
Wget creates a HSTS log file in a user's home directory. This can
contain forensically relevant information.
reference:
- https://firexfly.com/wget-hsts/
parameters:
- name: HSTSGlob
default: "/home/*/.wget-hsts"
sources:
- query: |
SELECT Parsed.g1 AS Domain ,
int(int=Parsed.g2) || 443 AS Port,
Parsed.g3 AS IncSubdomains,
timestamp(epoch=Parsed.g4) AS Created,
int(int=Parsed.g5) AS MaxAge
FROM foreach(row={
SELECT FullPath FROM glob(globs="/home/*/.wget-hsts")
}, query={
SELECT Line, parse_string_with_regex(string=Line,
regex='''^([^\s]+)\s([^\s]+)\s([^\s]+)\s([^\s]+)\s([^\s]+)'''
) AS Parsed
FROM parse_lines(filename=FullPath)
WHERE NOT Line =~ "^#"
})
column_types:
- name: Created
type: timestamp