jeffgeiger’s gists

jeffgeiger / custom.sh

Last active December 23, 2015 03:18

Bro functions and aliases

	alias bro-column="sed \"s/fields.//;s/types.//\" \| column -s $'\t' -t"
	alias bro-awk='awk -F" "'
	bro-grep() { grep -E "(^#)\|$1" $2; }
	bro-zgrep() { zgrep -E "(^#)\|$1" $2; }
	topcount() { sort \| uniq -c \| sort -rn \| head -n ${1:-10}; }
	colorize() { sed 's/#fields\t\\|#types\t/#/g' \| awk 'BEGIN {FS="\t"};{for(i=1;i<=NF;i++) printf("\x1b[%sm %s \x1b[0m",(i%7)+31,$i);print ""}'; }
	cm() { cat $1 \| sed 's/#fields\t\\|#types\t/#/g' \| awk 'BEGIN {FS="\t"};{for(i=1;i<=NF;i++) printf("\x1b[%sm %s \x1b[0m",(i%7)+31,$i);print ""}'; }
	lesscolor() { cat $1 \| sed 's/#fields\t\\|#types\t/#/g' \| awk 'BEGIN {FS="\t"};{for(i=1;i<=NF;i++) printf("\x1b[%sm %s \x1b[0m",(i%7)+31,$i);print ""}' \| less -RS; }
	topconn() { if [ $# -lt 2 ]; then echo "Usage: topconn {resp\|orig} {proto\|service} {tcp\|udp\|icmp\|http\|dns\|ssl\|smtp\|\"-\"}"; else cat conn.log \| bro-cut id.$1_h $2 \| grep $3 \| topcount; fi; }
	fields() { grep -m 1 -E "^#fields" $1 \| awk -vRS='\t' '/^[^#]/ { print $1 }' \| cat -n ; }

jeffgeiger / update_bro_intel.sh

Created September 10, 2013 03:48

Pull JSON data from elasticinsight to update Bro intel indicators file. Uses "jq" from http://stedolan.github.io/jq

	#!/bin/bash

	INTELFILE=$1
	DOC=$(curl -# http://elasticinsight-test/ElasticAPI/BroIntelFrameworkIndicatorList 2> /dev/null)
	RECS=$(echo $DOC \| jq '. \| length')
	j=0

	HEADER=$(grep -E "^#" $INTELFILE)

	echo "$HEADER" > $INTELFILE

jeffgeiger / grokproduce.sh

Last active December 22, 2015 14:39

Generate named grok filters and a stub config from bro log headers on the fly. `cd` to your Bro logs directory and run this.

	#!/bin/bash

	TSTAMP=$(date +%s)
	CONF="/tmp/logstash-$TSTAMP.conf"
	PATTERNS="/tmp/bro_patterns_$TSTAMP"

	for j in *.log; do
	LOG=$(echo $j \| sed 's/.log//g')
	FILTNAME=$(echo $LOG \| tr '[:lower:]' '[:upper:]')
	echo -e "BRO$FILTNAME \c" >> $PATTERNS

jeffgeiger / brocolor.sh

Last active December 22, 2015 13:18

Colorize columns in bro logs

	#!/bin/bash

	cat $1 \| sed 's/#fields\t\\|#types\t/#/g' \| awk 'BEGIN {FS="\t"};{for(i=1;i<=NF;i++) printf("\x1b[%sm %s \x1b[0m",(i%7)+31,$i);print ""}'

jeffgeiger / kibana

Last active December 21, 2015 22:58 — forked from nodesocket/kibana

Modified to use RVM.

	#!/bin/bash
	### BEGIN INIT INFO
	# Provides: kibana
	# Required-Start: $remote_fs $syslog
	# Required-Stop: $remote_fs $syslog
	# Default-Start: 2 3 4 5
	# Default-Stop: 0 1 6
	# Short-Description: Make sense of a mountain of logs.
	### END INIT INFO

jeffgeiger / spamstats.pl

Created August 22, 2013 03:52

Munin-node spamstats plugin - enhanced

	#!/usr/bin/perl
	# -- perl --

	=head1 NAME

	spamstats - Plugin to graph spamassassin throughput

	=head1 CONFIGURATION

	This plugin does not have any configuration

jeffgeiger / update_vulscan.sh

Created August 19, 2013 21:06

Simple script to update nmap VSE vulnerability scanner in Homebrew.

	#!/bin/bash

	echo "Updating vulscan database..."

	cd /usr/local/Cellar/nmap/6.40/share/nmap/scripts/vulscan/

	rm *.csv

	wget http://www.computec.ch/projekte/vulscan/download/cve.csv
	wget http://www.computec.ch/projekte/vulscan/download/exploitdb.csv

jeffgeiger / postfix_patterns

Last active December 20, 2015 06:09 — forked from jamtur01/postfix_patterns

	# Postfix stuff
	QUEUEID (?:[A-F0-9]{11}\|NOQUEUE)
	EMAILADDRESSPART [a-zA-Z0-9_.+-=:]+
	EMAILADDRESS %{EMAILADDRESSPART:local}@%{EMAILADDRESSPART:remote}
	RELAY (?:%{HOSTNAME:relayhost}(?:\[%{IP:relayip}\](?::[0-9]+(.[0-9]+)?)?)?)
	#RELAY (?:%{HOSTNAME:relayhost}(?:\[%{IP:relayip}\](?:%{POSREAL:relayport})))
	POSREAL [0-9]+(.[0-9]+)?
	#DELAYS %{POSREAL:a}/%{POSREAL:b}/%{POSREAL:c}/%{POSREAL:d}
	DELAYS (%{POSREAL}[/]*)+
	DSN %{NONNEGINT}.%{NONNEGINT}.%{NONNEGINT}

jeffgeiger / clone_ldap_to_local.ksh

Created July 22, 2013 19:17

Clone LDAP users/groups from AD into local users/groups. Probably.

	#!/bin/sh

	SCRIPT_NAME=$(basename $0)

	usage() {
	cat <<EOF
	This script will query a set of given groups from the AIX LDAP registry using the AIX command line tools (lsuser, lsgroup), and it will create
	them locally (mkgroup, mkuser).

	Known Bugs:

jeffgeiger / Imp_AD_to_SQLite.ps1

Created May 23, 2013 19:02

Dump AD user attributes into a SQLite database.

	Import-Module ActiveDirectory
	Import-Module SQLite #SQLite Module from http://psqlite.codeplex.com/

	mount-sqlite -name db -dataSource H:\Papa\bp3_aix.sqlite

	Get-ADUser -Filter { employeeID -like "*" } -Properties uid, employeeID, sAMAccountName, sn, givenName, Name \| foreach {
	$query = 'insert into ad_dump (uid, empID, sam, sn, gn, name) values ("'+$_.uid+'", "'+$_.employeeID+'", "'+$_.sAMAccountName+'", "'+$_.sn+'", "'+$_.givenName+'", "'+$_.Name+'");'
	Invoke-Item db: -sql $query
	}

	alias bro-column="sed \"s/fields.//;s/types.//\" \| column -s $'\t' -t"
	alias bro-awk='awk -F" "'
	bro-grep() { grep -E "(^#)\|$1" $2; }
	bro-zgrep() { zgrep -E "(^#)\|$1" $2; }
	topcount() { sort \| uniq -c \| sort -rn \| head -n ${1:-10}; }
	colorize() { sed 's/#fields\t\\|#types\t/#/g' \| awk 'BEGIN {FS="\t"};{for(i=1;i<=NF;i++) printf("\x1b[%sm %s \x1b[0m",(i%7)+31,$i);print ""}'; }
	cm() { cat $1 \| sed 's/#fields\t\\|#types\t/#/g' \| awk 'BEGIN {FS="\t"};{for(i=1;i<=NF;i++) printf("\x1b[%sm %s \x1b[0m",(i%7)+31,$i);print ""}'; }
	lesscolor() { cat $1 \| sed 's/#fields\t\\|#types\t/#/g' \| awk 'BEGIN {FS="\t"};{for(i=1;i<=NF;i++) printf("\x1b[%sm %s \x1b[0m",(i%7)+31,$i);print ""}' \| less -RS; }
	topconn() { if [ $# -lt 2 ]; then echo "Usage: topconn {resp\|orig} {proto\|service} {tcp\|udp\|icmp\|http\|dns\|ssl\|smtp\|\"-\"}"; else cat conn.log \| bro-cut id.$1_h $2 \| grep $3 \| topcount; fi; }
	fields() { grep -m 1 -E "^#fields" $1 \| awk -vRS='\t' '/^[^#]/ { print $1 }' \| cat -n ; }

Jeff Geiger jeffgeiger