Given an input PCAP and a location in a Bro script, this script will filter the PCAP into a new file, which contains only the connections that visited that script location. This script can help filter a large PCAP to narrow down problematic connections, such as protocol violations, weirds, etc.
Vlad Grigorescu grigorescu
grigorescu
/ notify_edu.py
Created
February 2, 2017 21:56
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| import sys | |
| import pygeoip | |
| import dns.resolver | |
| from IPy import IP | |
| import pytz | |
| import smtplib | |
| import datetime |
grigorescu
/ backdoor.sh
Created
September 1, 2016 20:44
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # | |
| # Found on: http://hackforums.net/showthread.php?tid=914128 | |
| # | |
| #Autorooter and backdoor bash-script | |
| #Hopefully this script will come to good use | |
| #Run n tell dat home, home, homeboy!! | |
| #by: ludwig @ SSTeam.info | |
| clear |
grigorescu
/ arp_main.bro
Last active
August 16, 2020 23:41
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ##! Analysis of ARP Traffic. | |
| ##! This script logs ARP traffic while doing so builds an internal ARP cache | |
| ##! that can be used to determine when MAC/IP associations change. | |
| ##! | |
| ##! Written by Peter Erickson <[email protected]> | |
| ##! Reference: http://mailman.icsi.berkeley.edu/pipermail/bro/2011-November/004415.html | |
| # | |
| # Abbreviations are taken from RFC 826: | |
| # | |
| # SHA: source hardware address (i.e., MAC address) |
grigorescu
/ bro.lua
Created
December 10, 2015 18:06
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| local msg_types = { | |
| [0] = "None", | |
| [1] = "Version", | |
| [2] = "Serial", | |
| [3] = "Close", | |
| [4] = "Close all", | |
| [5] = "Error", | |
| [6] = "Connect to", | |
| [7] = "Connected", | |
| [8] = "Request events", |
grigorescu
/ split_http.bro
Created
April 13, 2015 11:42
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @load base/utils/site | |
| event bro_init() | |
| { | |
| # First remove the default filter. | |
| Log::remove_default_filter(HTTP::LOG); | |
| # Add the filter to direct logs to the appropriate file name. | |
| Log::add_filter(HTTP::LOG, [$name = "http-directions", | |
| $path_func(id: Log::ID, path: string, rec: HTTP::Info) = { |
grigorescu
/ syslog_main.bro
Last active
February 17, 2020 03:29
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ##! Core script support for logging syslog messages. This script represents | |
| ##! one syslog message as one logged record. | |
| ##! | |
| ##! Note: This was slightly simplified for demo purposes | |
| @load ./consts | |
| module Syslog; | |
| export { |
grigorescu
/ keybase.md
Created
February 24, 2015 20:14
I hereby claim:
- I am grigorescu on github.
- I am vladg (https://keybase.io/vladg) on keybase.
- I have a public key whose fingerprint is BE8A E1D9 A108 4DBC 1BF0 28F6 C115 8FAB 632E 5272
To claim this, I am signing this object:
grigorescu
/ dpd_to_pcap.py
Last active
November 6, 2020 02:34
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python2 | |
| ## | |
| ## This script takes a line from the dpd.log generated with the | |
| ## policy/frameworks/dpd/packet-segment-logging.bro script, and | |
| ## outputs a PCAP to stdout | |
| ## | |
| ## Vlad Grigorescu | |
| ## [email protected] | |
| ## |
grigorescu
/ x_requested_with.bro
Created
February 3, 2015 22:03
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ##! Add support for X-Requested-With | |
| @load base/protocols/http | |
| @load base/frameworks/software | |
| @load policy/protocols/http/software-browser-plugins | |
| module HTTP; | |
| export { | |
| redef record HTTP::Info += { | |
| ## X-REQUESTED_WITH value, if set |