Internet Engineering Task Force (IETF) K. Weller Request for Comments: XXXX Category: Experimental October 27, 2025 ISSN: 2070-1721
Hash-Based IPv6 Address Derivation for
Deterministic Name Resolution
Abstract
ionstorm ion-storm
ion-storm
/ IDN_DNS.md
Created
October 27, 2025 15:00
Hash-Based IPv6 Address Derivation for Deterministic Name Resolution
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import re | |
| import argparse | |
| from typing import Dict, List, Set | |
| class SplunkToSigmaParser: | |
| def __init__(self): | |
| self.index_pattern = r'index=(\S+)' | |
| self.sourcetype_pattern = r'sourcetype=(\S+)' | |
| self.datamodel_pattern = r'datamodel=(\S+)' # New: Capture datamodel in base search | |
| self.field_value_pattern = r'(\w+(?:\.\w+)?)=(?:"([^"]+)"|(\S+))' # Updated: Allow datamodel.field syntax |
ion-storm
/ keybase.md
Created
February 19, 2022 17:33
I hereby claim:
- I am ion-storm on github.
- I am ionstorm_ (https://keybase.io/ionstorm_) on keybase.
- I have a public key ASDcmNr5gWQB17z9e3J6fs2d-EuPTVa_33DwKKjKva6KWAo
To claim this, I am signing this object:
ion-storm
/ PS Script: SUNBURST DLL
Created
December 15, 2020 13:27
— forked from stephent23/PS Script: SUNBURST DLL
PowerShell Script to identify the SolarWinds.Orion.Core.BusinessLayer.dll on host and return the location/file hash
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $path_ = "C:\" | |
| $list = @(Get-ChildItem -Path $path_ -Name "SolarWinds.Orion.Core.BusinessLayer.dll" -Recurse) | |
| $list | % { | |
| $fullPath = $path_ + $_ | |
| Get-FileHash $fullPath -Algorithm SHA256 | Format-List | |
| } |
ion-storm
/ sone.conf
Last active
October 9, 2020 21:39
— forked from tuckner/sone.conf
SentinelOne Cloudfunnel Logstash Input
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| input { | |
| kafka { | |
| bootstrap_servers => "" #configurable | |
| group_id => "" #configurable | |
| auto_offset_reset => "" #configurable | |
| security_protocol => "SASL_SSL" | |
| sasl_mechanism => "SCRAM-SHA-512" | |
| sasl_jaas_config => "org.apache.kafka.common.security.scram.ScramLoginModule required username='' password='';" | |
| ssl_endpoint_identification_algorithm => "" | |
| topics => [""] #configurable |
ion-storm
/ Get-InjectedThread.ps1
Created
February 16, 2020 04:24
— forked from jaredcatkinson/Get-InjectedThread.ps1
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-InjectedThread | |
| { | |
| <# | |
| .SYNOPSIS | |
| Looks for threads that were created as a result of code injection. | |
| .DESCRIPTION | |
ion-storm
/ Base64_CheatSheet.md
Created
October 25, 2019 20:15
— forked from Neo23x0/Base64_CheatSheet.md
Learning Aid - Top Base64 Encodings Table
MITRE ATT4CK - T1132 - Data Encoding
| Base64 Code | Mnemonic Aid | Decoded* | Description |
|---|---|---|---|
JAB |
🗣 Jabber | $. |
Variable declaration (UTF-16) |
TVq |
📺 Television | MZ |
MZ header |
UEs |
🏬 Upper East Side | PK |
ZIP, Office documents |
SUVY |
🚙 SUV | IEX |
PowerShell Invoke Expression |
ion-storm
/ CustomASRRuleGenerator.ps1
Created
September 10, 2019 02:38
— forked from mattifestation/CustomASRRuleGenerator.ps1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ScrObjBlockRule = New-CIPolicyRule -DriverFilePath $Env:windir\System32\scrobj.dll -Level FileName -Deny -AppID $Env:windir\System32\regsvr32.exe | |
| # Merge the block rule into the allow all template rule included in the OS | |
| Merge-CIPolicy -OutputFilePath CustomASRPolicy.xml -PolicyPaths $Env:windir\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml -Rules $ScrObjBlockRule | |
| # This must be run elevated. Convert the policy to binary form and copy it to where WDAC will consume it. | |
| ConvertFrom-CIPolicy -XmlFilePath .\CustomASRPolicy.xml -BinaryFilePath $Env:windir\System32\CodeIntegrity\SIPolicy.p7b | |
| # Now reboot and the policy will take effect. |
ion-storm
/ dotnet-runtime-etw.py
Created
August 23, 2019 02:15
— forked from countercept/dotnet-runtime-etw.py
A research aid for tracing security relevant events in the CLR via ETW for detecting malicious assemblies.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import time | |
| import etw | |
| import etw.evntrace | |
| import sys | |
| import argparse | |
| import threading | |
| class RundownDotNetETW(etw.ETW): | |
| def __init__(self, verbose, high_risk_only): |
ion-storm
/ sysmon-join.commands
Created
August 8, 2019 01:54
— forked from Cyb3rWard0g/sysmon-join.commands
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| CREATE STREAM WINLOGBEAT_STREAM (source_name VARCHAR, type VARCHAR, task VARCHAR, log_name VARCHAR, computer_name VARCHAR, event_data STRUCT< UtcTime VARCHAR, ProcessGuid VARCHAR, ProcessId INTEGER, Image VARCHAR, FileVersion VARCHAR, Description VARCHAR, Product VARCHAR, Company VARCHAR, CommandLine VARCHAR, CurrentDirectory VARCHAR, User VARCHAR, LogonGuid VARCHAR, LogonId VARCHAR, TerminalSessionId INTEGER, IntegrityLevel VARCHAR, Hashes VARCHAR, ParentProcessGuid VARCHAR, ParentProcessId INTEGER, ParentImage VARCHAR, ParentCommandLine VARCHAR, Protocol VARCHAR, Initiated VARCHAR, SourceIsIpv6 VARCHAR, SourceIp VARCHAR, SourceHostname VARCHAR, SourcePort INTEGER, SourcePortName VARCHAR, DestinationIsIpv6 VARCHAR, DestinationIp VARCHAR, DestinationHostname VARCHAR, DestinationPort INTEGER, DestinationPortName VARCHAR>, event_id INTEGER) WITH (KAFKA_TOPIC='winlogbeat', VALUE_FORMAT='JSON'); | |
| CREATE STREAM WINLOGBEAT_STREAM_REKEY WITH (VALUE_FORMAT='JSON', PARTITIONS=1, TIMESTAMP='event_date_creation') AS SEL |
NewerOlder