clay584 clay584
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import argparse | |
| from netaddr import * | |
| import pprint | |
| class Tree(object): | |
| def __init__(self): | |
| self.left = None |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "_index": "logstash-2014.11.21", | |
| "_type": "syslog", | |
| "_id": "NDGHjnB_RF24TbKFdcCfiA", | |
| "_score": 1.0, | |
| "_source": { | |
| "message": "2014-11-20T19:00:07-05:00 10.0.0.34 orl-asa-fp sf: [Primary Detection Engine (6c462a00-43ae-11e4-954c-a4aa6fe94c69)][Presidio Lab - Internet Access Policy] Connection Type: End, User: Unknown, Client: SSL client, Application Protocol: HTTPS, Web App: Unknown, Access Control Rule Name: Malware Lookups | Monitor All, Access Control Rule Action: Allow, Access Control Rule Reasons: Unknown, URL Category: Unknown, URL Reputation: Risk unknown, URL: https://sn-cc-nbox.presidiolab.local, Interface Ingress: outside, Interface Egress: inside, Security Zone Ingress: Outside, Security Zone Egress: Inside, Security Intelligence Matching IP: None, Security Intelligence Category: None, Client Version: (null), Number of File Events: 0, Number of IPS Events: 0, TCP Flags: 0x0, NetBIOS Domain: (null), Initiator Packets: 8, Responder Packets: 10, Initiator Bytes: 1598, Responder Bytes: 26 |
clay584
/ gist:cb2df904ee1daa7f8ae7
Created
November 20, 2014 19:38
logging into the future - logstash config that generated the future log
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| input { | |
| file { | |
| path => ["/var/log/network.log"] | |
| sincedb_path => "/var/log/logstash" | |
| start_position => "beginning" | |
| type => "syslog" | |
| tags => [ "netsyslog" ] | |
| } | |
| zeromq { |
clay584
/ gist:4e5e1896a2bda76e4158
Created
November 20, 2014 19:36
logging into the future - corresponding elasticsearch document
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "_index" : "logstash-2014.11.21", | |
| "_type" : "syslog", | |
| "_id" : "l9u2pNC4RjKlsweRhgalWA", | |
| "_score" : 1.0, | |
| "_source":{"@version":"1","@timestamp":"2014-11-21T00:00:57.000Z","type":"syslog","tags":["netsyslog","grok_ran"],"host":"orl-syslog","path":"/var/log/network.log","syslog_host":"10.0.0.34","device_host":"orl-asa-fp","device_module":"sf","pri_detection_engine":"6c462a00-43ae-11e4-954c-a4aa6fe94c69","sf_policy":"Presidio Lab - Internet Access Policy","connection_type":"End","user":"Unknown","client":"Chrome","app_protocol":"HTTP","webapp":"Unknown","acl_rule_name":"Malware Lookups | Monitor All","acl_rule_action":"Allow","acl_rule_reason":"Unknown","url_category":"Unknown","url_reputation":"Risk unknown","url":"http://sn-cc-nbox.presidiolab.local:3000/lua/get_flow_data.lua?flow_key=352531341&_=1416504188744","ingress_interface":"outside","egress_interface":"inside","ingress_sec_zone":"Outside","egress_sec_zone":"Inside","sec_intel_match_ip":"None","sec_intel_category":"None"," |
clay584
/ gist:5cca3f48113f0d193af4
Created
November 20, 2014 19:35
logging into the future - syslog-ng entry (text file)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 2014-11-20T19:00:57-05:00 10.0.0.34 orl-asa-fp sf: [Primary Detection Engine (6c462a00-43ae-11e4-954c-a4aa6fe94c69)][Presidio Lab - Internet Access Policy] Connection Type: End, User: Unknown, Client: Chrome, Application Protocol: HTTP, Web App: Unknown, Access Control Rule Name: Malware Lookups | Monitor All, Access Control Rule Action: Allow, Access Control Rule Reasons: Unknown, URL Category: Unknown, URL Reputation: Risk unknown, URL: http://sn-cc-nbox.presidiolab.local:3000/lua/get_flow_data.lua?flow_key=352531341&_=1416504188744, Interface Ingress: outside, Interface Egress: inside, Security Zone Ingress: Outside, Security Zone Egress: Inside, Security Intelligence Matching IP: None, Security Intelligence Category: None, Client Version: 38.0.2125.111, Number of File Events: 0, Number of IPS Events: 0, TCP Flags: 0x0, NetBIOS Domain: (null), Initiator Packets: 5, Responder Packets: 5, Initiator Bytes: 778, Responder Bytes: 451, Context: unknown {TCP} 10.254.1.19:50609 -> 10.4.4.15:3000 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "_index": "logstash-2014.11.18", | |
| "_type": "netflow", | |
| "_id": "35EpZH_wRwCbX1fATNJljA", | |
| "_score": null, | |
| "_source": { | |
| "@timestamp": "2014-11-18T16:52:07.000Z", | |
| "netflow": { | |
| "version": "9", | |
| "flow_seq_num": "254", |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| input { | |
| file { | |
| path => ["/var/log/network.log"] | |
| sincedb_path => "/var/log/logstash" | |
| start_position => "beginning" | |
| type => "syslog" | |
| tags => [ "netsyslog" ] | |
| } | |
| udp { |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "_index": "logstash-2014.11.17", | |
| "_type": "netflow", | |
| "_id": "tN86DepHQ5yOaetLMVDRCA", | |
| "_score": null, | |
| "_source": { | |
| "@timestamp": "2014-11-17T21:33:03.000Z", | |
| "netflow": { | |
| "version": "9", | |
| "flow_seq_num": "254", |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| input { [12/1185] | |
| file { | |
| path => ["/var/log/network.log"] | |
| sincedb_path => "/var/log/logstash" | |
| start_position => "beginning" | |
| type => "syslog" | |
| tags => [ "netsyslog" ] | |
| } | |
| udp { |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| input { [12/1185] | |
| file { | |
| path => ["/var/log/network.log"] | |
| sincedb_path => "/var/log/logstash" | |
| start_position => "beginning" | |
| type => "syslog" | |
| tags => [ "netsyslog" ] | |
| } | |
| udp { |