Skip to content

Instantly share code, notes, and snippets.

View jpclipffel's full-sized avatar

JP. Clipffel jpclipffel

7 followers · 1 following
  • Switzerland
View GitHub Profile
@jpclipffel
jpclipffel / delete_stale_pvc.sh
Last active February 4, 2021 15:31
Delete stale PVC
for pvc in $(kubectl get pvc | tail -n+2 | awk '{print $1}'); do
kubectl patch pvc ${pvc} -p '{"metadata":{"finalizers": []}}' --type=merge
kubectl delete pvc ${pvc}
done
@jpclipffel
jpclipffel / appstore.py
Created August 21, 2020 11:25
A simple App Store scrapper example
import sys
import requests
from lxml import etree
def get_app_info(app_id, app_name, country='lu', lang='fr-fr'):
'''Fetches an application page and returns a set of contextual information.
:param str app_id: Application ID
:param str app_name: Application name
@jpclipffel
jpclipffel / Ansible - Helm management.md
Created July 21, 2020 09:21
Manage Helm with Ansible

Ansible - Helm management

Get releases list

- name: Get all Helm releases
  shell: >
    helm list -o yaml
  register: _helm_releases
@jpclipffel
jpclipffel / ELK - Remote clusters example.md
Last active March 24, 2023 19:03

ELK - Remote clusters example

How to setup an Elasticsearch remote clusters lab.

Docker compose

Notes:

  • Adapt the volumes definition
  • Run with docker-compose up
@jpclipffel
jpclipffel / README.md
Created November 19, 2019 12:44
Python and Brew on MacOS Catalina

Python and Brew on MacOS Catalina

Installation

  • Install Brew's OpenSSL: brew install openssl
  • Install Brew's Python3: brew install python3

Configure

Add the following configuration to a ~/.bashrc or ~/.zshrc:




  


  




    


          
    

      

        
        

          

              @jpclipffel
          

          

            
                jpclipffel
                / Python - Multiprocessing managers with class.md
            
            

              Last active
              October 20, 2019 17:04
            

          

        

      

        

  

      

    
Python - Multiprocessing managers with class


Demonstrate how to create a multiprocessing's manager server exposing a class.


Proxies


from multiprocessing.managers import BaseProxy


class GeneratorProxy(BaseProxy):
    """Manager's proxy for generators.



  


  




    


          
    

      

        
        

          

              @jpclipffel
          

          

            
                jpclipffel
                / Splunk - Office365 parsing.md
            
            

              Created
              March 11, 2019 08:09
            

              
                Splunk - Office365 parsing
              
          

        

      

        

  

      

    
Splunk - Office365 parsing


How to re-parse Office365 logs collected from the application splunk_ta_o365.


Context


The add-on splunk_ta_o365 may sometimes produces multi-lines JSON events (ie. an event with several JSON objects separated by a new line).
The following modification change the line breaker configuration.


Edit the line breaker configuration


Edit the file $SPLUNK_HOME/etc/apps/splunk_ta_o365/local/props.conf (create it if it doesn't exists) and add the following lines:





  


  




    


          
    

      

        
        

          

              @jpclipffel
          

          

            
                jpclipffel
                / Splunk - Swift SAA JSON logs.md
            
            

              Created
              January 17, 2019 16:15
            

          

        

      

        

  

      

    
Splunk - Swift SAA JSON logs


How to ingest Swift SAA (Swift Alliance Access) logs in Splunk


SAA confguration


The SAA must be configured to:


    

  • forwards its logs through syslog
    • 

  • use the JSON (not formatted) format
    • 




  


  




    


          
    

      

        
        

          

              @jpclipffel
          

          

            
                jpclipffel
                / Splunk - Data input routing.md
            
            

              Last active
              November 3, 2018 08:47
            

          

        

      

        

  

      

    
Splunk - Data input routing


How to map logs received from multiple hosts on the same local port to the correct sourcetype and index.


Scenario


The Splunk data input UDP:514 receives events from the following devices:


    

  • 10.0.0.1: A Netfilter firewall
    • 

  • 10.0.0.2: A Squid proxy instance (1/2)
    • 

  • 10.0.0.3: A Squid proxy instance (2/2)
    • 



We want to separate logs comming from the Firewall (10.0.0.1) and the Proxies (10.0.0.2 and 10.0.0.3):



  


  




    


          
    

      

        
        

          

              @jpclipffel
          

          

            
                jpclipffel
                / Elasticsearch - Aggregations and buckets filtering.md
            
            

              Last active
              November 3, 2018 08:47
            

              
                Elasticsearch - Aggregations and buckets filtering
              
          

        

      

        

  

      

    
Elasticsearch - Aggregations and buckets filtering


How to aggregate search results over specific fields (Buckets Aggregations), calculate their properties (Metrics Aggregation) and filter buckets on their properties (Pipeline Aggregation).


Scenario


This is the search scenario (what we would like to catch):




Find out a potential web sweep (an attacker looking for listening HTTP servers in the network). If a single IP try to connect on too amby hosts on the same port, it may indicates a suspicous activity.




Initial search


Search for all documents with a dest_port field matching the value 80 over the past 3 days.