Given an input PCAP and a location in a Bro script, this script will filter the PCAP into a new file, which contains only the connections that visited that script location. This script can help filter a large PCAP to narrow down problematic connections, such as protocol violations, weirds, etc.
Vlad Grigorescu grigorescu
grigorescu
/ bro.lua
Created
December 10, 2015 18:06
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| local msg_types = { | |
| [0] = "None", | |
| [1] = "Version", | |
| [2] = "Serial", | |
| [3] = "Close", | |
| [4] = "Close all", | |
| [5] = "Error", | |
| [6] = "Connect to", | |
| [7] = "Connected", | |
| [8] = "Request events", |
grigorescu
/ arp_main.bro
Last active
August 16, 2020 23:41
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ##! Analysis of ARP Traffic. | |
| ##! This script logs ARP traffic while doing so builds an internal ARP cache | |
| ##! that can be used to determine when MAC/IP associations change. | |
| ##! | |
| ##! Written by Peter Erickson <[email protected]> | |
| ##! Reference: http://mailman.icsi.berkeley.edu/pipermail/bro/2011-November/004415.html | |
| # | |
| # Abbreviations are taken from RFC 826: | |
| # | |
| # SHA: source hardware address (i.e., MAC address) |
grigorescu
/ backdoor.sh
Created
September 1, 2016 20:44
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # | |
| # Found on: http://hackforums.net/showthread.php?tid=914128 | |
| # | |
| #Autorooter and backdoor bash-script | |
| #Hopefully this script will come to good use | |
| #Run n tell dat home, home, homeboy!! | |
| #by: ludwig @ SSTeam.info | |
| clear |
grigorescu
/ notify_edu.py
Created
February 2, 2017 21:56
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| import sys | |
| import pygeoip | |
| import dns.resolver | |
| from IPy import IP | |
| import pytz | |
| import smtplib | |
| import datetime |
grigorescu
/ fix_parity.py
Created
September 1, 2017 19:39
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| import argparse, sys | |
| def hexdump(text, space=False): | |
| result = "" | |
| for t in text: | |
| s = str(hex(ord(t))).replace('0x', '') | |
| if len(s) == 1: | |
| s = '0' + s |
grigorescu
/ udpddos.bro
Created
September 14, 2017 18:35
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ##! A detection script for UDP DoS Flows | |
| @load base/protocols/conn | |
| module UDPDoS; | |
| export { | |
| redef enum Notice::Type += { | |
| Detected, |
grigorescu
/ ncsa_excessive_email.bro
Created
September 14, 2017 18:43
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @load base/frameworks/sumstats | |
| @load base/protocols/smtp | |
| module SMTP; | |
| export { | |
| redef enum Notice::Type += { | |
| ## Generated if a user is sending mail to too many recipients | |
| ExcessiveRecipients | |
| }; |
grigorescu
/ exposed.bro
Created
September 14, 2017 18:55
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| module Exposed; | |
| export { | |
| redef enum Notice::Type += { | |
| Service | |
| }; | |
| const exposed_services: table[port] of string ={} &redef; | |
| } | |
| redef exposed_services+= [[11211/tcp] = "memcached"]; |
grigorescu
/ bro_find_all_events.sh
Created
March 5, 2018 15:35
This is a one-liner to find all events defined in Bro
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| for i in $(git grep -l event); do cat $i | perl -e '$input=join("", <>); for ($input=~/^\s*(event [^(]+\([^)]*?\))/mg) { s/\n\s*/ /g; s/%//g; print "$_ { }\n"; }' ; done |