regit’s gists

regit / gist:3263cf673cbffbf7bbb58c009fd5d93d

Created June 28, 2022 12:26

JQ command to extract domain, authenticated user, associated IPs from Suricata logs

cat eve.json | jq -r 'select(.event_type=="smb" and .smb.ntlmssp.user and .smb.ntlmssp.user!="" and .smb.status_code=="0x0" and .smb.ntlmssp.host!=.smb.ntlmssp.domain)| [ .smb.ntlmssp.domain, .smb.ntlmssp.user, .src_ip ] | @csv' | sort | uniq >users.csv

regit / sobind

Created November 28, 2018 20:29

Sobind: a eBPF script to detect network bind attempt

	#! /usr/bin/python2
	#
	# sobind Trace TCP bind events
	# For Linux, uses BCC, eBPF. Embedded C.
	#
	# USAGE: sobind.py [-h] [-p PID] [--show-netns]
	#
	# This is provided as a basic example of TCP connection & socket tracing.
	# It could be useful in scenarios where load balancers needs to be updated
	# dynamically as application is fully initialized.

regit / dns.json

Created August 2, 2017 15:26

	{
	"dns": {
	"type": "answer",
	"id": 10451,
	"rcode": "NOERROR",
	"rrname": "time.windows.com",
	"ttl": 2755,
	"rrtype": [
	"A",
	"CNAME"

regit / Cocci test for uint

Created July 14, 2017 16:58

	@uint@
	uint i;
	position p1;
	@@

	i@p1

	@script:python@
	p1 << uint.p1;
	@@

regit / memset.cocci

Created April 26, 2017 11:56

Checking memset

	@malloced@
	expression x;
	position p1;
	identifier func =~ "(calloc\|malloc)";
	@@

	x@p1 = func(...)

	@memset depends on malloced exists@
	expression x;

regit / metadata usage in snort ruleset

Created April 21, 2017 12:21

	\item policy balanced-ips alert
	\item policy balanced-ips drop
	\item policy connectivity-ips alert
	\item policy connectivity-ips drop
	\item policy max-detect-ips alert
	\item policy max-detect-ips drop
	\item policy security-ips alert
	\item policy security-ips drop
	\item ruleset community
	\item service (dcerpc\|imap\|\ldots)

regit / Suricata-SSLv3

Created October 15, 2014 10:24

Suricata Kibana Dashboard for SSLv3

	{
	"index": {
	"default": "NO_TIME_FILTER_OR_INDEX_PATTERN_NOT_MATCHED",
	"pattern": "[logstash-]YYYY.MM.DD",
	"warm_fields": true,
	"interval": "day"
	},
	"style": "dark",
	"rows": [
	{

regit / ssh-analysis-kibana

Last active August 7, 2019 21:27

SSH analysis dashboard

	{
	"title": "SSH analysis",
	"services": {
	"query": {
	"list": {
	"0": {
	"query": "message:\"Invalid user\" AND sshd",
	"alias": "Failed login",
	"color": "#BF1B00",
	"id": 0,

regit / Netfilter-dashboard

Created March 23, 2014 14:49

Netfilter Kibana Dashboard

	{
	"title": "Netfilter Logs",
	"services": {
	"query": {
	"list": {
	"0": {
	"query": "dvc:*",
	"alias": "Netfilter",
	"color": "#7EB26D",
	"id": 0,

regit / Suricata dashboard

Last active August 29, 2020 20:41

A sample Kibana dashboard using Suricata JSON output.

	{
	"title": "Suricata EVE Dashboard",
	"services": {
	"query": {
	"list": {
	"0": {
	"query": "event_type:http",
	"alias": "HTTP",
	"color": "#7EB26D",
	"id": 0,

Eric Leblond regit