Skip to content

Instantly share code, notes, and snippets.

View mpurzynski's full-sized avatar

Michal Purzynski mpurzynski

28 followers · 5 following
View GitHub Profile
@mpurzynski
mpurzynski / boo-boo
Created May 6, 2019 22:52
boo-boo
michalpurzynski@mbp:~$ pyenv versions
* system (set by /Users/michalpurzynski/.pyenv/version)
2.7.15
2.7.15/envs/iqrlib
2.7.15/envs/mozdef
3.7.1
3.7.1/envs/black
3.7.1/envs/misptest
3.7.1/envs/mobdoctor
ansible-vault-diff
@mpurzynski
mpurzynski / quickhack.c
Created May 25, 2019 08:38
Some quick hack for a naive (but working) userspace rootkit detection
#define _GNU_SOURCE
#include <stdlib.h>
#include <stdint.h>
#include <stdio.h>
#include <dlfcn.h>
#include <fcntl.h>
#define LIBC "/lib/x86_64-linux-gnu/libc.so.6"
#define PCAP "/usr/lib/x86_64-linux-gnu/libpcap.so"
@mpurzynski
mpurzynski / whitelist_scan_detection.bro
Created June 25, 2019 22:14
module Scan;
global whitelist_scan_port: set[port] = { } &redef;
global ephemeral_start_udp: port = secret/udp;
global ephemeral_start_tcp: port = secret/tcp;
hook scan_policy(scanner: addr, victim: addr, scanned_port: port)
{
if (( victim in whitelist_scan_ip) || ( scanner in whitelist_scan_ip ) || ( scanned_port in whitelist_scan_port) || ( scanned_port > ephemeral_start_udp ) || ( scanned_port > ephemeral_start_tcp ))
@mpurzynski
mpurzynski / bro-afpacket-make
Created June 26, 2019 03:23
Processing files: bro-af_packet-plugin-1.4.0-1.x86_64
error: File not found: /builddir/build/BUILDROOT/bro-af_packet-plugin-1.4.0-1.x86_64/usr/lib/bro/plugins/Bro_AF_Packet/COPYING
error: File not found: /builddir/build/BUILDROOT/bro-af_packet-plugin-1.4.0-1.x86_64/usr/lib/bro/plugins/Bro_AF_Packet/README
error: File not found: /builddir/build/BUILDROOT/bro-af_packet-plugin-1.4.0-1.x86_64/usr/lib/bro/plugins/Bro_AF_Packet/VERSION
error: File not found: /builddir/build/BUILDROOT/bro-af_packet-plugin-1.4.0-1.x86_64/usr/lib/bro/plugins/Bro_AF_Packet/__bro_plugin__
error: File not found: /builddir/build/BUILDROOT/bro-af_packet-plugin-1.4.0-1.x86_64/usr/lib/bro/plugins/Bro_AF_Packet/broctl/af_packet.py
error: File not found: /builddir/build/BUILDROOT/bro-af_packet-plugin-1.4.0-1.x86_64/usr/lib/bro/plugins/Bro_AF_Packet/lib/bif/__load__.bro
error: File not found: /builddir/build/BUILDROOT/bro-af_packet-plugin-1.4.0-1.x86_64/usr/lib/bro/plugins/Bro_AF_Packet/lib/bif/af_packet.bif.bro
error: File not found: /builddir
@mpurzynski
mpurzynski / deleteme.py
Created July 18, 2019 22:51
deleteme
#!/usr/bin/python
interfaces = "enp18s0f0 enp216s0f0"
intmap = {}
for int in interfaces.split():
with open("/sys/class/net/"+int+"/device/numa_node") as nn:
intmap[int] = nn.read()
print(json.dumps(intmap))
@mpurzynski
mpurzynski / whitelist_scan_detection.zeek
Created February 13, 2020 21:44
module Scan;
global whitelist_scan_port: set[port] = {5223/udp, 5223/tcp} &redef;
global ephemeral_start_udp: port = 32768/udp;
global ephemeral_start_tcp: port = 32768/tcp;
hook scan_policy(scanner: addr, victim: addr, scanned_port: port)
{
if (( victim in whitelist_scan_ip) || ( scanner in whitelist_scan_ip ) || ( scanned_port in whitelist_scan_port) || ( scanned_port > ephemeral_start_udp ) || ( scanned_port > ephemeral_start_tcp ))