Skip to content

Instantly share code, notes, and snippets.

View jasonish's full-sized avatar

Jason Ish jasonish

269 followers · 24 following
View GitHub Profile
@jasonish
jasonish / metadata-example-1.json
Last active January 25, 2018 17:24
{
"extra-data": [
{
"type": "flowbits",
"values": [
"flowbit1",
"flowbit2",
"flowbit3"
]
},
@jasonish
jasonish / gist:f78ed68e95c03a018ecfc6eb690be035
Created January 9, 2018 18:58
job1:
script: |
whoami
id
pwd
git clone https://github.com/OISF/suricata.git
git clone https://github.com/OISF/libhtp.git suricata/libhtp
git clone https://github.com/jasonish/suricata-test-builders.git
cd suricata
pwd
@jasonish
jasonish / eve-metadata.json
Last active December 11, 2017 15:19
{
"metadata": {
"flowbits": [
"/traffic/id/facebook",
"ET.TorIP"
],
"flowvars": {
"flow_var0_name": "flow_var0_value",
"flow_var1_name": "flow_var1_value"
},
@jasonish
jasonish / gist:81af260adfc15d2633a2ab18cdcc8eb6
Created December 11, 2017 14:24
In file included from suricata-common.h:430:0,
from util-debug.c:26:
util-debug.c: In function ‘SCLogTestInit05.part.11’:
util-debug.c:1652:15: warning: ‘AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
@jasonish
jasonish / suricata-update-sources.yaml
Last active November 27, 2017 20:04
sources:
- name: etopen
description: Emerging Threats Open Ruleset
url: https://rules.emergingthreats.net/open/suricata%(version)s/emerging.rules.tar.gz
- name: etpro
description: Emerging Threats Pro Ruleset
url: https://rules.emergingthreatspro.com/%(code)s/suricata%(version)s/etpro.rules.tar.gz
@jasonish
jasonish / suricata.yaml
Created November 3, 2017 21:20
%YAML 1.1
---
pw-vars: &pw-vars !include vars.yaml
vars:
address-groups:
<<: *pw-vars
@jasonish
jasonish / dns-v2.json
Created August 2, 2017 21:02
{
"timestamp": "2017-04-20T21:15:58.732859+0000",
"flow_id": 1507173365328989,
"pcap_cnt": 2,
"event_type": "dns",
"version": 2,
"src_ip": "10.16.1.1",
"src_port": 53,
"dest_ip": "10.16.1.11",
"dest_port": 41805,
@jasonish
jasonish / dns-response-with-metadata.json
Created August 2, 2017 15:53
{
"timestamp": "2017-04-20T21:15:58.732859+0000",
"flow_id": 1507173365328989,
"pcap_cnt": 2,
"event_type": "dns",
"src_ip": "10.16.1.1",
"src_port": 53,
"dest_ip": "10.16.1.11",
"dest_port": 41805,
"proto": "UDP",
@jasonish
jasonish / dns-response.json
Created August 2, 2017 15:41
{
"timestamp": "2017-04-20T21:15:58.732859+0000",
"flow_id": 1507173365328989,
"pcap_cnt": 2,
"event_type": "dns",
"src_ip": "10.16.1.1",
"src_port": 53,
"dest_ip": "10.16.1.11",
"dest_port": 41805,
"proto": "UDP",
@jasonish
jasonish / appid.rules
Created July 26, 2017 16:03
alert tls any any -> any any (msg:"APPID Snapchat TLS SNI pattern"; tls_sni; content:"feelinsonice.appspot.com"; nocase; flow:established,to_server; flowbits:set,app/snapchat; sid:13000000; rev:1;)
alert tls any any -> any any (msg:"APPID Snapchat TLS SNI pattern"; tls_sni; content:"feelinsonice-hrd.appspot.com"; nocase; flow:established,to_server; flowbits:set,app/snapchat; sid:13000001; rev:1;)
alert tls any any -> any any (msg:"APPID Snapchat TLS SNI pattern"; tls_sni; content:"snapchat.com"; nocase; flow:established,to_server; flowbits:set,app/snapchat; sid:13000002; rev:1;)
alert tls any any -> any any (msg:"APPID Skype TLS SNI pattern"; tls_sni; content:"apps.skype.com"; nocase; flow:established,to_server; flowbits:set,app/skype; sid:13000003; rev:1;)
alert tls any any -> any any (msg:"APPID Skype TLS SNI pattern"; tls_sni; content:"ui.skype.com"; nocase; flow:established,to_server; flowbits:set,app/skype; sid:13000004; rev:1;)
alert tls any any -> any any (msg:"APPID Youtube TLS SNI pattern"; tls_sni;