Last active
November 23, 2019 20:52
-
-
Save chapinb/dffb48fcd2f7a290d39c5c8da25c97ce to your computer and use it in GitHub Desktop.
Quick script to run bro against a pcap capturing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| # Tested on Debian 10 (Buster) | |
| # Make a report folder | |
| outdir=bro-`date +%FT%H-%M-%S` | |
| mkdir $outdir | |
| # Generate our reports with bro in the report folder | |
| cd $outdir | |
| bro -r /honeypot-data/rdp*.pcap* -C | |
| cat rdp.log | bro-cut -d ts id.orig_h id.orig_p id.resp_h id.resp_p cookie result security_protocol keyboard_layout client_build client_name > rdp_summary.txt | |
| cd .. | |
| # Archive up our summary data | |
| zip $outdir.zip $outdir/* | |
| # Send an email with the rdp_summary.txt as the body content and the full logs as a zip attachment | |
| YOUR_DOMAIN= | |
| YOUR_SRC_EMAIL= | |
| YOUR_DST_EMAIL= | |
| # Requires mailgun account | |
| curl -s --user 'api:YOUR_API_KEY' \ | |
| "https://api.mailgun.net/v3/$YOUR_DOMAIN/messages" \ | |
| -F from='RDP Honeypot <$YOUR_SRC_EMAIL>' \ | |
| -F to="$YOUR_DST_EMAIL" \ | |
| -F subject='RDP Daily Report' \ | |
| -F attachment=@$outdir.zip \ | |
| -F text="$(cat $outdir/rdp_summary.txt)" | |
| # Clean up | |
| rm -rf $outdir $outdir.zip |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment