Skip to content

Instantly share code, notes, and snippets.

View mavam's full-sized avatar

Matthias Vallentin mavam

418 followers · 99 following
View GitHub Profile
@mavam
mavam / dns-txt-lookup.bro
Created November 2, 2012 22:50
DNS TXT lookup in Bro using the function lookup_hostname_txt
event x509_certificate(c: connection, is_orig: bool, cert: X509, chain_idx: count, chain_len: count, der_cert: string)
{
local domain = "%s.notary.icsi.berkeley.edu";
when ( local str = lookup_hostname_txt(fmt(domain, sha1_hash(der_cert))) )
{
print str;
}
}
@mavam
mavam / dns-lookup.bro
Created November 2, 2012 22:59
DNS lookup in Bro using the when statement
when (local result = lookup_addr("www.bro-ids.org"))
{
for (addr in result)
print addr;
}
@mavam
mavam / facebook.bro
Created November 24, 2012 20:06
Facebook Chat
##!
##! A Facebook analysis script.
##!
##! The script parses the HTTP body of Facebook JSON messages and reconstructs
##! a stream of chat messages from it.
##!
##! Since Facebook switched to HTTPS only, this script no longer works. You may
##! use it for inspiration or instructional purposes.
##!
##! For details, see my blog post:
@mavam
mavam / bro-customization.md
Last active July 27, 2020 02:14
Bro script-level customization points.

General

# Process packets despite bad checksums.
redef ignore_checksums = T;

File Analysis

This will change significantly with Bro 2.2 when we have the file analysis

@mavam
mavam / miniduke.bro
Last active December 14, 2015 07:19
Miniduke C&C detector
@load base/frameworks/notice
module Malware;
export {
redef enum Notice::Type += {
## Miniduke C&C activity.
Miniduke_CC_Activity
};
}
@mavam
mavam / install-bro.sh
Last active December 14, 2015 23:29
Shell script that installs Bro including dependencies, also adding broctl crontab entry and improving OS capture performance.
#!/bin/sh
# Installs Bro on Redhat or Debian Linux.
if [ "$(id -u)" -ne "0" ] ; then
echo "must be root to install Bro"
fi
# Defaults
flavor=redhat
prefix=/opt/bro
@mavam
mavam / bf-size.R
Last active December 17, 2015 12:29
Plots the size of a Bloom filter as a function of the expected number of elements for various false-positive rates.
library(ggplot2)
library(reshape)
library(scales)
# Computes the number of kB a basic bloom filter requires.
# n: the number of elements to store
# fp: the desired false positive rate
space = function(n, fp) { -n * log(fp) / log(2)^2 / 8 / 1024 }
N = 10^(1:9)
@mavam
mavam / range-facade.cc
Last active December 28, 2015 16:59
Factored new-style ranges based on ideas from Eric Niebler. See http://ericniebler.com/2013/11/07/input-iterators-vs-input-ranges/ for details.
#include <iostream>
#include <vector>
#include "vast/util/range.h"
namespace util {
template <typename Derived>
class range
{
Derived& derived()
@mavam
mavam / keybase-proof
Last active August 29, 2015 14:22
Keybase proof
### Keybase proof
I hereby claim:
* I am mavam on github.
* I am mavam (https://keybase.io/mavam) on keybase.
* I have a public key whose fingerprint is 8A3B 1323 B469 CCBA 54D3 3BCC D5E7 8DF5 9C8D 4B41
To claim this, I am signing this object:
@mavam
mavam / memory-consumption.R
Last active August 29, 2015 14:23
CAF memory consumption
library(dplyr)
library(tidyr)
library(ggplot2)
parse_measurement_filename <- function(path) {
filename <- strsplit(basename(path), "\\.")[[1]][1]
s <- strsplit(filename, "_")[[1]]
list(Cores=as.factor(s[1]), Run=as.factor(s[3]), Type=as.factor(s[5]))
}