Skip to content

Instantly share code, notes, and snippets.

View mdfranz's full-sized avatar

Matt Franz mdfranz

  • Lutherville Timonium MD
  • 05:21 (UTC -04:00)
View GitHub Profile
SELECT table,
formatReadableSize(sum(bytes)) as size,
min(min_date) as min_date,
max(max_date) as max_date
FROM system.parts
WHERE active
GROUP BY table
@mdfranz
mdfranz / ansible-vector.md
Created January 5, 2025 17:27
Janky Ansible Vector install

base.yaml

---
- hosts: all 
  tasks:
    - name: Set authorized key taken from file
      authorized_key:
        user: "{{ansible_user_id}}"
        state: present
        key: "{{ lookup('file', '/home/mfranz/.ssh/id_rsa.pub') }}"
@mdfranz
mdfranz / journald-drop-overlayfs-spam.yaml
Created January 5, 2025 17:18
Vector VRL for Journald to Drop xino spam
data_dir: "/var/lib/vector"
sources:
journald:
type: journald
transforms:
drop_xino_events:
type: remap
inputs:
- journald
@mdfranz
mdfranz / clickhouse-local-zeek.md
Last active December 15, 2024 21:55
Parsing Zeek JSON with Clickhouse Local
@mdfranz
mdfranz / ja4-duckdb.md
Last active December 4, 2024 12:14
DuckDB and JA4 Data from Zeek

The Data

Records from https://ja4db.com/

D describe jadb;
┌────────────────────────┬─────────────┬─────────┬─────────┬─────────┬─────────┐
│      column_name       │ column_type │  null   │   key   │ default │  extra  │
│        varchar         │   varchar   │ varchar │ varchar │ varchar │ varchar │
├────────────────────────┼─────────────┼─────────┼─────────┼─────────┼─────────┤
@mdfranz
mdfranz / windmill_s3.sh
Last active November 29, 2024 15:26
Shell Job for Windmill using AWS Resource
#!/bin/bash
# Get Credentials from Resources
AWS_9431=$(curl -s -H "Authorization: Bearer $WM_TOKEN" \
"$BASE_INTERNAL_URL/api/w/$WM_WORKSPACE/resources/get_value_interpolated/u/mdfranz/aws_9431" | jq)
export ACCESS_KEY=`echo $AWS_9431 | jq .awsAccessKeyId`
export SECRET_KEY=`echo $AWS_9431 | jq .awsSecretAccessKey`
# Download S3M
helm install falco falcosecurity/falco \
    --version 4.11.1 \
    --namespace falco \
    --create-namespace \
    --set falcosidekick.enabled=true --set falcosidekick.webui.enabled=true \
    --set collectors.kubernetes.enabled=true \
    --set tty=true \
 --set-json 'falco.append_output=[{"match": {"source": "syscall"},"extra_output": "pod_uid=%k8smeta.pod.uid, pod_name=%k8smeta.pod.name, namespace_name=%k8smeta.ns.name"}]'
#!/usr/bin/env python3
import sys, pyshark
cap = pyshark.FileCapture(sys.argv[1])
for e in cap:
if 'IP' in e:
if 'TCP' in e:
print (e['eth'].src,e['ip'].src,e['eth'].dst,e['ip'].dst)
hub:
revisionHistoryLimit:
config:
Authenticator:
enable_auth_state: true
allowed_users:
- user1
- user2
- user3
- notadmin
@mdfranz
mdfranz / mitre-gemma2-9B.md
Created October 22, 2024 11:27
Gemma Mitre ATT&CK

Prompt

what are the limitations of the Mitre ATT&CK framework for practioners

Gemma2:9B (Nvidia 3060/12GB)

While the MITRE ATT&CK framework is a powerful tool for cybersecurity practitioners, it does have some limitations:

1. Focus on adversarial tactics, not business impacts: