mpurzynski

# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
# Copyright (c) 2017 Mozilla Corporation
#
# Contributors:
# Michal Purzynski [email protected]

import sys
import os

mpurzynski

allow-hotplug p2p1
auto p2p1
iface p2p1 inet manual
  pre-up /opt/snf/sbin/myri_start_stop start myri_timesource=0
  up ip link set $IFACE promisc on arp off up
  down ip link set $IFACE promisc off down
  post-up ethtool -G $IFACE rx 32768; for i in rx tx autoneg tso ufo gso gro lro tx­nocache­copy rxhash ntuple; do ethtool -K $IFACE $i off; done
  post-up echo 1 > /proc/sys/net/ipv6/conf/$IFACE/disable_ipv6
  post-up ifconfig $IFACE mtu 9000

mpurzynski

import sys
import os
import datetime
sys.path.append(os.path.join(os.path.dirname(os.path.abspath(__file__)), '../mozdef/lib'))
from elasticsearch_client import ElasticsearchClient
from query_models import TermMatch, SearchQuery, QueryStringMatch
from utilities.toUTC import toUTC
import pprint

es_client = ElasticsearchClient('http://localhost:9200')

mpurzynski

# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# Contributor(s):
# Michal Purzynski [email protected]
#

module LogFilter;

mpurzynski

#!/usr/bin/env python

# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
# Copyright (c) 2017 Mozilla Corporation
#
# Contributors:
# Brandon Myers [email protected] - original code
# Michal Purzynski [email protected] - ugly hacks that made it fast (and ugly)

mpurzynski

import json
import os

import sys
import socket
import time
from configlib import getConfig, OptionParser
from datetime import datetime, timedelta
import pytz

mpurzynski

import json
import pprint
import sys

def main():

    if len(sys.argv) < 4:
        print("Must pass <filename>.json src IP dst IP <connection state> arguments")
        sys.exit(1)

mpurzynski

//#include <bcc/proto.h>
#include <stdint.h>
#include <stddef.h>
#include <linux/bpf.h>

#include <linux/if_ether.h>
#include <linux/in.h>
#include <linux/ip.h>
#include <linux/in6.h>
#include <linux/ipv6.h>

mpurzynski

//#include <bcc/proto.h>
#define KBUILD_MODNAME "foo"
#include <stdint.h>
#include <string.h>
#include <stddef.h>
#include <linux/bpf.h>

#include <linux/in.h>
#include <linux/if_ether.h>
#include <linux/if_packet.h>

mpurzynski

alert tcp any any -> any !80 (msg:"SURICATA HTTP on unusual port"; flow:to_server; app-layer-protocol:http; threshold: type limit, track by_src, seconds 60, count 1; sid:2271001; rev:1;)
alert tcp any any -> any 80 (msg:"SURICATA non-HTTP on TCP port 80"; flow:to_server; app-layer-protocol:!http; threshold: type limit, track by_src, seconds 60, count 1; sid:2271002; rev:1;)

alert tcp any any -> any ![443,465,587] (msg:"SURICATA TLS on unusual port"; flow:to_server; app-layer-protocol:tls; threshold: type limit, track by_src, seconds 60, count 1; sid:2271004; rev:1;)
alert tcp any any -> any [443,465] (msg:"SURICATA non-TLS on TLS port"; flow:to_server; app-layer-protocol:!tls; threshold: type limit, track by_src, seconds 60, count 1; sid:2271003; rev:1;)

alert tcp any any -> any ![20,21] (msg:"SURICATA FTP on unusual TCP port"; flow:to_server; app-layer-protocol:ftp; threshold: type limit, track by_src, seconds 60, count 1; sid:2271005; rev:1;)
alert tcp any any -> any [20,21] (msg:"SURICATA non-FTP on TCP