dso deeso
deeso
/ stealth_watch_convert.py
Last active
August 6, 2020 20:19
Convert stealthwatch CSV to data for analysis
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import datetime | |
| from dateutil import parser | |
| import csv | |
| def swc_csv_data(filename): | |
| data = [] | |
| d = csv.DictReader(open(filename)) | |
| for entry in d: | |
| new_entry = {} | |
| for k, v in entry.items(): |
deeso
/ loop_forever_script.py
Last active
July 23, 2020 12:34
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from time import sleep | |
| from threading import Timer | |
| from socket import socket | |
| import gevent | |
| TIMER = None | |
| QUIT = False | |
| SPACING = 3.0 | |
| PORT = 39090 |
deeso
/ treemap_by_os-count_example.py
Created
July 23, 2020 11:57
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # pip3 install squarify matplotlib seaborn pandas | |
| import pandas as pd | |
| import squarify | |
| import matplotlib | |
| from matplotlib import style | |
| import matplotlib.pyplot as plt | |
| import seaborn as sns | |
| unique_results = {} |
deeso
/ Linux Proc Net Tcp Regular expression
Created
June 28, 2020 01:34
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| \s+(?<entry>[0-9]+):\s+(?<src_ip>[0-9A-Fa-f]+):(?<src_port>[0-9A-Fa-f]+)\s+(?<dst_ip>[0-9A-Fa-f]+):(?<dst_port>[0-9A-Fa-f]+)\s+(?<state>[0-9A-Fa-f]+)\s+(?<tx_queue>[0-9A-Fa-f]+):(?<rx_queue>[0-9A-Fa-f]+)\s+(?<tr>[0-9A-Fa-f]+):(?<tm_when>[0-9A-Fa-f]+)\s+(?<retrnsmt>[0-9A-Fa-f]+)\s+(?<uid>[0-9A-Fa-f]+)\s+(?<inode_info>[0-9A-Fa-f\s]+)?$ |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| export NETFLOW_COLLECTOR= | |
| apt-get install -y module-assistant iptables-dev pkg-config snmpd libsnmp-dev | |
| m-a prepare | |
| git clone git://github.com/aabc/ipt-netflow.git ipt-netflow | |
| cd ipt-netflow/ | |
| ./configure; make all install; depmod | |
| insmod ipt_NETFLOW.ko destination=$NETFLOW_COLLECTOR:2055 |
deeso
/ is_there_abuse.py
Created
April 3, 2020 04:17
a small recipe to help with analyzing logs with timestamps using pandas. Trying to detect if any abuse happens between in a window of 90s after a user has authenticated to the target application
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Using pandas to look for potential token abuse in logs | |
| import pandas as pd | |
| import json | |
| from dateutil import parser | |
| print('Loading data') | |
| # keys in data now: clientip date date_key_day date_key_hour date_key_minute date_key_month dst_host app_id src_host status ait url username | |
| # assuming splunk results with 'results' containing the required results | |
| data = [json.loads(i)['result'] for i in open('looking-token-abuse.json').readlines()] | |
| abusable_url = 'APP_NAME' |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import sys | |
| import argparse | |
| import platform | |
| import subprocess | |
| parser = argparse.ArgumentParser(description='Ping some hosts.') | |
| parser.add_argument('-i', type=str, default=None, help='file containing the hosts on a new line') | |
| parser.add_argument('-c', type=str, default=None, help='host list (comma or space delimited') | |
| parser.add_argument('-o', type=str, default=None, help='output file') | |
| parser.add_argument('-j', type=str, default=False, help='json output' action="store_true") |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import sys | |
| import argparse | |
| import regex, json | |
| from datetime import datetime, timedelta | |
| CODES_CLASS = {} | |
| CLASS_CODES = {} | |
| ASA_MSG_CLASSES = {} | |
| ASA_MSG_TYPES = {} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # requirements | |
| # requests magic pdfminer | |
| import json | |
| import re | |
| from pdfminer.high_level import extract_text as pdf_extract_text | |
| import traceback | |
| import os | |
| from requests import get | |
| from hashlib import md5 | |
| from multiprocessing import * |
deeso
/ analyze_files.py
Last active
March 6, 2020 17:18
analyze file content using regular expressions
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # requirements | |
| # requests magic pdfminer | |
| import json | |
| import re | |
| from pdfminer.high_level import extract_text as pdf_extract_text | |
| import traceback | |
| import os | |
| from requests import get | |
| from hashlib import md5 | |
| from multiprocessing import * |