Skip to content

Instantly share code, notes, and snippets.

*filter
# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT
# Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow all outbound traffic - you can modify this to only allow certain traffic
@deruke
deruke / nxlog.conf
Created June 29, 2017 13:05
nxlog config file
# define ROOT dir
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
#<Extension _syslog>
@deruke
deruke / install.bat
Last active July 13, 2022 11:35
Sysmon and nxlog startup install script
@echo off
:install_nxlog
sc query "nxlog" | Find "RUNNING" >NUL
If NOT "%ERRORLEVEL%" EQU "1" (
goto install_sysmon
)
echo Installing NXLOG
\\domain.local\SYSVOL\software\nxlog-ce-2.9.1716.msi /quiet
copy /z /y “\\domain.local\SYSVOL\software\nxlog.conf" "C:\Program Files (x86)\nxlog\conf"
@deruke
deruke / winevent-logstash.conf
Created June 29, 2017 16:25
winevent-logstash
# capture windows events over JSON
# expects to be sent by the NXLOG package
# author: Joff Thyer, 2017
input {
tcp {
port => 3515
codec => json
}
}
if not exist "C:\windows\sysmon_config.xml" (
copy /z /y "\\lab.local\SYSVOL\lab.local\scripts\sysmon\sysmon_config.xml" "C:\windows\"
)
sc query "Sysmon" | Find "RUNNING"
If "%ERRORLEVEL%" EQU "1" (
goto startsysmon
)
:startsysmon
net start Sysmon
# define ROOT dir
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
#<Extension _syslog>
input {
tcp {
port => 3515
codec => json
}
}
filter {
mutate {
add_tag => "forwardedevtx"
}

Keybase proof

I hereby claim:

  • I am deruke on github.
  • I am derekbanks (https://keybase.io/derekbanks) on keybase.
  • I have a public key ASAOau90RIe9f3aw2svuIabRL7emSd9uVmtko-F05pmmWQo

To claim this, I am signing this object: