Seth Hall sethhall
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| redef record HTTP::Info += { | |
| post_body: string &optional &log; | |
| }; | |
| redef record fa_file += { | |
| http_log: HTTP::Info &optional; | |
| }; | |
| event http_get_post_body(f: fa_file, data: string) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| available_governors=$(cat /sys/devices/system/cpu/cpu*/cpufreq/scaling_available_governors \ | |
| | head -1 | sed -e 's/ \([a-zA-Z0-9]\)/|\1/g' -e 's/ $//') | |
| if [ $# -ne 1 ] | |
| then | |
| echo "USAGE: $0 [$available_governors]" | |
| fi |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 1398506591.523781 CsXIjO1BWbvfZpbnha 209.126.230.74 17193 x.x.x.x 443 - -- tcp Heartbleed::SSL_Heartbeat_Attack An TLS heartbleed attack was detected! Record length 3, payload length 16384 - 209.126.230.74 x.x.x.x 443 - worker1-10 Notice::ACTION_LOG 3600.000000 F - - - - - |
sethhall
/ conn.log
Created
April 13, 2014 03:58
Bro Heartbleed detection using another evasion PCAP from @erratarob (https://twitter.com/erratarob/status/455184562549583872)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #separator \x09 | |
| #set_separator , | |
| #empty_field (empty) | |
| #unset_field - | |
| #path conn | |
| #open 2014-04-12-23-52-22 | |
| #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents | |
| #types time string addr port addr port enum string interval count count string bool count string count count count count set[string] | |
| 1397349488.146539 CgiXSR3iafr2IvmXH8 96.25.174.16 12929 107.170.194.215 443 tcp ssl 4.071024 606 72872 S1 - 0 ShADad 39 2322 57 75164 (empty) | |
| #close 2014-04-12-23-52-22 |
sethhall
/ conn.log
Created
April 11, 2014 06:11
Bro Heartbleed detection using encrypted heartbeat messages. Trace from: http://blog.didierstevens.com/2014/04/10/heartbleed-packet-capture-full-tls/
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #separator \x09 | |
| #set_separator , | |
| #empty_field (empty) | |
| #unset_field - | |
| #path conn | |
| #open 2014-04-11-02-09-00 | |
| #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents | |
| #types time string addr port addr port enum string interval count count string bool count string count count count count set[string] | |
| 1397163796.404676 Cojr4LYR0U4FkAT2i 192.168.11.130 57534 192.168.11.128 443 tcp ssl 0.020171 463 51011 RSTO - 0 ShADadR 24 1635 41 53151 (empty) | |
| #close 2014-04-11-02-09-00 |
sethhall
/ conn.log
Created
April 11, 2014 01:43
Bro Heartbleed detection with @erratarob's attempted evasion from https://twitter.com/erratarob/status/454431302482001921. (check the notice.log)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #separator \x09 | |
| #set_separator , | |
| #empty_field (empty) | |
| #unset_field - | |
| #path conn | |
| #open 2014-04-10-21-40-58 | |
| #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents | |
| #types time string addr port addr port enum string interval count count string bool count string count count count count set[string] | |
| 1397173677.295334 CRVrQz4kM8bETkZAd9 10.20.30.165 5353 224.0.0.251 5353 udp dns 3.000172 120 0 S0 - 0 D 3 204 0 0 (empty) | |
| 1397173669.761904 C0oDrV3mAS653MpdGh 10.20.30.157 53669 10.20.30.165 443 tcp ssl 2.133122 257 5015 S1 - 0 ShADd 13 777 11 5459 (empty) |
sethhall
/ conn.log
Created
April 10, 2014 17:35
Bro heartbleed detector (http://blog.bro.org/2014/04/detecting-heartbleed-bug-using-bro.html) output for trace from http://blog.didierstevens.com/2014/04/09/heartbleed-packet-capture/
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #separator \x09 | |
| #set_separator , | |
| #empty_field (empty) | |
| #unset_field - | |
| #path conn | |
| #open 2014-04-10-13-34-01 | |
| #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents | |
| #types time string addr port addr port enum string interval count count string bool count string count count count count set[string] | |
| 1397073996.257496 CHkC542U0S9hPPSQ0g 192.168.11.1 54848 192.168.11.128 443 tcp ssl 0.022342 233 17871 SF - 0 ShADadFf 13 765 17 18563 (empty) | |
| #close 2014-04-10-13-34-01 |
sethhall
/ myextract-with-domain.bro
Created
January 2, 2014 16:20
Example for Bro file extraction with domain name in the filename if the file was grabbed over HTTP.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| redef record fa_file += { | |
| is_my_extractor_going: bool &default=F; | |
| }; | |
| event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) | |
| { | |
| if ( !f$is_my_extractor_going ) | |
| { | |
| f$is_my_extractor_going=T; | |
| if ( f$source == "HTTP" && is_orig == F ) |
sethhall
/ myextract.bro
Last active
February 17, 2020 03:27
File extraction special naming example.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| redef record fa_file += { | |
| is_my_extractor_going: bool &default=F; | |
| }; | |
| event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) | |
| { | |
| if ( !f$is_my_extractor_going ) | |
| { | |
| f$is_my_extractor_going=T; | |
| if ( f$source == "HTTP" && is_orig == F ) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| global my_table: table[count] of count = { }; | |
| event bro_init() | |
| { | |
| print val_size(my_table); | |
| my_table[1] = 1; | |
| my_table[2] = 2; | |
| my_table[3] = 3; | |
| print val_size(my_table); |