John Coleman colemanjp
colemanjp
/ gist:6945006
Last active
December 25, 2015 08:09
11 October 2013 smtp auth compromise analysis
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Top smtp auth talkers for Friday (deidentified). I believe that only A is compromised. | |
| 1228 authid=A | |
| 314 authid=B | |
| 190 authid=C | |
| 77 authid=D | |
| 49 authid=E | |
| 44 authid=F | |
colemanjp
/ gist:6945079
Created
October 12, 2013 02:36
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| awk -F, '/authid=/{print $3}' maillog | sort | uniq -c | sort -rn > sorted | |
| Timestamps with a counter | |
| awk -F, '/authid=aaa/{print $1 $3}' maillog maillog.1 | awk '++a { print $3 " " a}' | |
| Connections per hour displayed | |
| awk -F, '/authid=aaa/{print $1 $3}' maillog | awk '{ print $3}' | awk -F: '{print $1":00"}' | uniq -c | |
| Connections per minute displayed |
colemanjp
/ gist:7010002
Last active
December 25, 2015 16:59
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Delivery has failed to these recipients or groups: | |
| jcoleman+xxxxxx@connect.yale.edu | |
| The e-mail address you entered couldn't be found. Please check the recipient's e-mail address and try to resend the message. If the problem continues, please contact your helpdesk. | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Current pps mailers: | |
| Msmtp, P=[IPC], F=mDFMuX, S=EnvFromSMTP/HdrFromSMTP, R=EnvToSMTP, E=\r\n, L=0, | |
| T=DNS/RFC822/SMTP, | |
| A=TCP $h | |
| Mesmtp, P=[IPC], F=mDFMuXa, S=EnvFromSMTP/HdrFromSMTP, R=EnvToSMTP, E=\r\n, L=0, | |
| T=DNS/RFC822/SMTP, | |
| A=TCP $h | |
| Msmtp8, P=[IPC], F=mDFMuX8, S=EnvFromSMTP/HdrFromSMTP, R=EnvToSMTP, E=\r\n, L=0, | |
| T=DNS/RFC822/SMTP, |
colemanjp
/ gist:7160458
Created
October 25, 2013 19:28
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ du -hs maillog* | |
| 8.6G maillog.1 | |
| 8.6G maillog.1a | |
| $ time gzip -9 maillog.1 | |
| real 3m37.652s | |
| user 3m28.382s | |
| sys 0m5.502s |
colemanjp
/ gist:e35362e58d6b7ec972f3
Last active
August 29, 2015 14:03
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| curl http://localhost:8080/api/add \ | |
| -X POST \ | |
| -H 'Content-Type: application/json' \ | |
| -d '{"hostname": gilda, "criticality": 1, "description": "made a change", "user": "misc", "body": "cli test"}' |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 1006 grep from=bob.erb maillog | |
| 1015 grep s7M7KPDf002853 maillog | less | |
| 1017 grep 107-1-157-130-ip-static.hfc.comcastbusiness.net maillog | less | |
| Aug 22 03:20:25 vm-emlprdomg-03 sendmail[2852]: AUTH=server, relay=107-1-157-130-ip-static.hfc.comcastbusiness.net [107.1.157.130], authid=xxxx6, mech=LOGIN, bits=0 |
colemanjp
/ gist:9752bfdade300ad69d59
Last active
August 29, 2015 14:05
SEC 2 patterns with single action
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| type=Single | |
| ptype=RegExp | |
| pattern=one | |
| desc=one_matched | |
| action=event NEED_BOP | |
| type=Single | |
| ptype=RegExp | |
| pattern=two | |
| desc=two_matched |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| awk -F, '/sendmail.*authid=/{print $3}' maillog maillog.1 | sort -u | wc -l | |
| 788 |
colemanjp
/ minemeld-sync.py
Created
December 6, 2018 19:08
— forked from jtschichold/minemeld-sync.py
Utility for synchronizing a list of indicators with a MineMeld local DB Miner (Python 2.7.9+)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # Copyright 2015-present Palo Alto Networks, Inc | |
| # | |
| # Licensed under the Apache License, Version 2.0 (the "License"); | |
| # you may not use this file except in compliance with the License. | |
| # You may obtain a copy of the License at | |
| # | |
| # http://www.apache.org/licenses/LICENSE-2.0 | |
| # |