Hillar hillar
hillar
/ dump2jsonbot.py
Last active
August 29, 2015 13:58
dumps last {window_time} events in room on every {purge_time} to json file (used for anonymous vsroom demo)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import idiokit | |
| from abusehelper.core import bot, taskfarm | |
| # please move Roombot from contrib to core | |
| class RoomBot(bot.ServiceBot): | |
| def __init__(self, *args, **keys): | |
| bot.ServiceBot.__init__(self, *args, **keys) | |
| self.room_handlers = taskfarm.TaskFarm(self._handle_room) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # please see http://www.emhi.ee/index.php?ide=1,359,737,1207 | |
| import idiokit | |
| from abusehelper.core import utils, bot, events | |
| import xml.etree.cElementTree as etree | |
| from xml.etree.ElementTree import ElementTree | |
| from sys import exc_type as ParseError | |
| #Elemtree throws different exception in python2.7 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apt-get -y install apache2 libapache2-mod-php5 php5-common | |
| apt-get -y install rrdtool libmailtools-perl librrds-perl libio-socket-ssl-perl | |
| cd /tmp/ | |
| wget http://sourceforge.net/projects/nfsen/files/stable/nfsen-1.3.6p1/nfsen-1.3.6p1.tar.gz | |
| tar zxvf nfsen-1.3.6p1.tar.gz | |
| mv nfsen-1.3.6p1 nfsen | |
| cp nfsen/etc/nfsen-dist.conf /etc/nfsen.conf | |
| useradd www | |
| useradd netflow | |
| usermod -a -G www netflow |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ====== All you need to know before building a CSIRT ====== | |
| ===== CERTs and similar entities around the world ===== | |
| * 1 CERT was created in 1988 in response to the Morris worm incident. | |
| * FIRST is the Forum of Incident Response and Security Teams http://first.org/members | |
| * national CSIRTs http://www.cert.org/incident-management/national-csirts/meeting/ | |
| * Africa http://www.africacert.org/home/countries/ |
hillar
/ output.txt
Created
September 16, 2014 11:10
lua script to pump flow data from suricata to elasticsearch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "start": "09/12/2014-09:56:41.642074", | |
| "ipver": 6, | |
| "ipproto": 6, | |
| "srcip": "2002:0010:0001:0009:0000:0000:0000:0011", | |
| "sp": 42126, | |
| "dstip": "2002:0010:0001:0000:0000:0000:0000:0003", | |
| "dp": 80, | |
| "tscnt": 10, | |
| "tsbytes": 946, |
hillar
/ json2elastic.js
Last active
December 16, 2015 19:16
send json file to eleasticsearch in bulks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| send json file to eleasticsearch in bulks... | |
| exit with error, if | |
| - file does not exist | |
| - can not connect o elasticsearchserver | |
| - elasticsearch status is not green | |
| */ |
hillar
/ suricata_tagger.js
Created
October 22, 2014 18:52
tag moloch sessions with suricata eve.json alerts
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var fs = require('fs'); | |
| var byline = require('byline'); | |
| var urllib = require('urllib'); | |
| var fileName = '/home/vagrant/log/eve.json'; | |
| var stream = fs.createReadStream(fileName); | |
| stream = byline.createStream(stream); | |
| stream.on('data', function(linebuf) { | |
| var suricataEvent = null; | |
| try { | |
| suricataEvent = JSON.parse(linebuf.toString()); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ##! modified TeamCymruMalwareHashRegistry | |
| @load base/frameworks/files | |
| @load base/frameworks/notice | |
| @load frameworks/files/hash-all-files | |
| module TeamCymruMalwareHashRegistryPlusVirusTotalPublicAPI; |
hillar
/ shadowserver-mhr.bro
Last active
December 9, 2017 10:11
BRO :: ShadowServer Sandbox API Status Query
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ##! see http://www.shadowserver.org/wiki/pmwiki.php/Services/Sandboxapi | |
| # | |
| # ShadowServer Sandbox API Status Query | |
| # http://innocuous.shadowserver.org/api/?query=#md5-or-sha1# | |
| # Returns the md5, sha1, first seen date (UTC), last seen date (UTC), file type, and ssdeep hash | |
| # on the first line as a CSV value. The second line is a JSON object containing antivirus vendor | |
| # and signature details for the given sample. | |
| @load base/frameworks/files |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ##! see https://www.virustotal.com/en/documentation/public-api/#getting-file-scans | |
| # | |
| # Virustotal public API file report query | |
| # resource: a sha1 hash will retrieve the most recent report on a given sample. | |
| # apikey: your API key. | |
| # it is limited to at most 4 requests of any nature in any given 1 minute time frame | |
| @load base/frameworks/files | |
| @load base/frameworks/notice |