Skip to content

Instantly share code, notes, and snippets.

View mpurzynski's full-sized avatar

Michal Purzynski mpurzynski

28 followers · 5 following
View GitHub Profile
@mpurzynski
mpurzynski / gist.py
Created August 3, 2017 22:21
class message(object):
def __init__(self):
'''
takes an incoming bro message
and sets the doc_type
'''
self.registration = ['bro', 'nsm']
self.priority = 5
sys.stderr.write('dupa.9\n')
@mpurzynski
mpurzynski / gist2.py
Created August 3, 2017 23:18
#!/usr/bin/env python
from os import listdir
from os.path import isfile, join
from platform import node
import os
import jinja2
brologspath = '/nsm/bro/logs/current'
blacklogs = 'capture_loss.log communication.log dns-noise.log intel-noise.log http-noise.log reporter.log sslcipherstat_log1.log sslcipherstat_log2.log sslprotostat_log1.log sslprotostat_log2.log stats.log stderr.log stdout.log weird.log'
@mpurzynski
mpurzynski / filter_noise_conn.bro
Created August 8, 2017 17:37
filter_noise_conn.bro
module LogFilter;
const ignore_ports_resp: set[port] = {53/udp, 53/tcp, 123/udp, 137/udp, 161/udp, 5355/udp} &redef;
const ignore_services: set[string] = {"dns"} &redef;
event bro_init()
{
Log::remove_default_filter(Conn::LOG);
Log::add_filter(Conn::LOG, [$name = "conn-noise",
$pred(rec: Conn::Info) = {
@mpurzynski
mpurzynski / toUnicode.py
Created August 11, 2017 00:29
def toUnicode(obj, encoding='utf-8'):
if type(obj) in [int, long, float, complex]:
# likely a number, convert it to string to get to unicode
obj = str(obj)
if isinstance(obj, basestring):
if not isinstance(obj, unicode):
obj = unicode(obj, encoding)
return obj
@mpurzynski
mpurzynski / http.json
Created August 11, 2017 00:31
{"ts":1502406836.387569,"uid":"CO8vzf4CwHj9Xt7Axc","id.orig_h":"10.22.81.213","id.orig_p":17194,"id.resp_h":"10.22.81.20","id.resp_p":81,"trans_depth":1,"method":"GET","host":"developer.mozilla.org","uri":"/pl/docs/Web/JavaScript/Guide/Obsolete_Pages/Przewodnik_po_j\u00c4\u0099zyku_JavaScript_1.5/Obiekty_predefiniowane/Obiekt_Array","version":"1.1","user_agent":"Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)","request_body_len":0,"response_body_len":35790,"status_code":200,"status_msg":"OK","tags":[],"proxied":["X-FORWARDED-FOR -> 207.46.13.185"],"resp_fuids":["FnhbXC4dzXjF7DMIn6"],"resp_mime_types":["text/html"],"cluster_client_ip":"207.46.13.185","backend_server":"developer3.webapp.scl3.mozilla.com"}
@mpurzynski
mpurzynski / u.py
Created August 11, 2017 21:06
if logtype == 'http':
if 'method' not in msgdetailskeys:
newmessage['details'][u'method'] = ''
if 'host' not in msgdetailskeys:
newmessage['details'][u'host'] = ''
if 'uri' not in msgdetailskeys:
newmessage['details'][u'uri'] = ''
if 'status_code' not in msgdetailskeys:
newmessage['details'][u'status_code'] = ''
newmessage[u'summary'] = (
@mpurzynski
mpurzynski / filter_noise_dns.bro
Created August 14, 2017 21:35
filter_noise_dns.bro
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# Contributor(s):
# Michal Purzynski [email protected]
#
module LogFilter;
@mpurzynski
mpurzynski / missingfield.json
Created August 16, 2017 01:31
GET events/_search
{
"query": {
"bool": {
"must_not": {
"exists": {
"field": "receivedtimestamp"
}
}
}}}
@mpurzynski
mpurzynski / missingfieldaggr
Created August 16, 2017 01:43
GET events/_search
{
"query": {
"bool": {
"must_not": {
"exists": {
"field": "receivedtimestamp"
}
}
}},
@mpurzynski
mpurzynski / something.py
Created August 25, 2017 18:03
import sys
import os
import re
sys.path.append(os.path.join(os.path.dirname(__file__), "../../lib"))
from utilities.toUTC import toUTC
import pdb
class message(object):