// +build linux
package main
import (
"log"
"os"
Andrew Kroh andrewkroh
andrewkroh
/ Microsoft-Windows-FileInfoMinifilter.txt
Last active
January 7, 2022 11:08
Microsoft-Windows-FileInfoMinifilter Messages from Windows 2012 Server
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Id : 1 | |
| Version : 0 | |
| LogLink : System.Diagnostics.Eventing.Reader.EventLogLink | |
| Level : System.Diagnostics.Eventing.Reader.EventLevel | |
| Opcode : System.Diagnostics.Eventing.Reader.EventOpcode | |
| Task : System.Diagnostics.Eventing.Reader.EventTask | |
| Keywords : {, fi:FileNameCreate} | |
| Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events"> |
andrewkroh
/ elasticsearch.groovy
Created
March 23, 2017 16:02
Elasticsearch Output for SmartThings Events
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /** | |
| * Elasticsearch Event Publisher | |
| * | |
| * Copyright 2017 Andrew Kroh | |
| */ | |
| import java.text.DateFormat; | |
| import java.text.SimpleDateFormat; | |
| definition( |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /** | |
| * Amazon SNS Event Publisher | |
| * | |
| * Copyright 2016 Andrew Kroh | |
| */ | |
| import java.text.DateFormat | |
| import java.text.SimpleDateFormat | |
| import javax.crypto.Mac | |
| import javax.crypto.spec.SecretKeySpec |
andrewkroh
/ main.go
Created
September 20, 2017 20:09
Go seccomp-bpf example using Google Kafel to generate BPF filter
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| import ( | |
| "errors" | |
| "log" | |
| "os/exec" | |
| "syscall" | |
| "unsafe" | |
| ) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### Keybase proof | |
| I hereby claim: | |
| * I am andrewkroh on github. | |
| * I am andrewkroh (https://keybase.io/andrewkroh) on keybase. | |
| * I have a public key whose fingerprint is 3244 3ADF 2BE8 47C2 B49D 729B 0558 8481 AB5B 6468 | |
| To claim this, I am signing this object: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <libproc.h> | |
| #include <sys/proc_info.h> | |
| static const char* USAGE = "Usage: %s pid\n"; | |
| static const char* INVALID_PID = "Invalid pid: %s\n"; | |
| static const char* UNABLE_TO_GET_PROC_FDS = "Unable to get open file handles for %d\n"; | |
| static const char* OUT_OF_MEMORY = "Out of memory. Unable to allocate buffer with %d bytes\n"; |
andrewkroh
/ seccomp-violation.json
Created
April 8, 2018 19:34
Auditbeat Event for a Seccomp Violation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "@timestamp": "2018-04-08T19:29:14.461Z", | |
| "@metadata": { | |
| "beat": "auditbeat", | |
| "type": "doc", | |
| "version": "6.2.2" | |
| }, | |
| "event": { | |
| "action": "violated-seccomp-policy", | |
| "module": "auditd", |
andrewkroh
/ auditbeat-seccom-x86_64.yml
Last active
April 23, 2018 12:55
Elastic Beat Seccomp Profiles
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| seccomp: | |
| default_action: errno | |
| syscalls: | |
| - names: | |
| - accept | |
| - accept4 | |
| - arch_prctl | |
| - bind | |
| - brk | |
| - clone |
andrewkroh
/ Slack Notification
Last active
July 8, 2018 12:54
Heartbeat ICMP Alerting with Elastic X-Pack Watcher
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| https://twitter.com/Krohbird/status/849749788920877056 |