Skip to content

Instantly share code, notes, and snippets.

Richard Davis 13Cubed

Block or report user

Report or block 13Cubed

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@13Cubed
13Cubed / dns-sniffer.service
Last active Mar 1, 2017
A systemd service file that calls dns-sniffer.sh.
View dns-sniffer.service
[Unit]
Description=DNS Sniffer
[Service]
User=[USERNAME_HERE]
ExecStart=/usr/local/bin/dns-sniffer.sh
[Install]
WantedBy=multi-user.target
@13Cubed
13Cubed / dns-sniffer.sh
Last active Mar 2, 2017
A Bash script to call tcpdump for DNS traffic capture.
View dns-sniffer.sh
#!/bin/bash
# Note: Do not run this script as root. You know better than that. Allow the standard user under which it runs the ability to execute /usr/sbin/tcpdump.
# Example: setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/sbin/dumpcap
/usr/sbin/tcpdump -i [INTERFACE] -s0 -G 300 -w '/capture/dns_%Y-%m-%d_%H:%M:%S.pcap' 'port 53'
@13Cubed
13Cubed / dns-analyzer.sh
Last active Mar 2, 2017
A Bash script to parse DNS PCAPs with tshark and write space-delimited values to a log file (useful for SIEM ingestion). This script ensures a given PCAP is not in use (via fuser) prior to analyzing and moving the file.
View dns-analyzer.sh
#!/bin/bash
# Note: Do not run this script as root. Allow the standard user under which it runs the ability to execute /bin/fuser without entering credentials.
# Example: username ALL = (root) NOPASSWD: /bin/fuser
cd /capture
for file in dns*.pcap;
do
if ! sudo fuser -s $file; then
/usr/bin/tshark -n -t ad -r $file | awk '{ if ($10 !="query") print $2, $3, "ERROR: " $0; else if ($11 == "response") print $2, $3, $12, "R", $4, $6, substr($0, index($0,$13)); else print $2, $3, $11, "Q", $4, $6, $12, $13, $14 }' 1>>/var/log/dns/query.log 2>/dev/null;
mv $file /capture/processed/$file
fi
@13Cubed
13Cubed / update_aws.sh
Last active Oct 9, 2019
Update AWS Route 53 and EC2 Security Group upon change in dynamic IP address. Roll your own dynamic DNS service, and update associated security groups by adding the new IP and cleaning up the previous IP to prevent unauthorized access to EC2 instances. Note: calls AWS CLI, and cli53 to make Route 53 changes (https://github.com/barnybug/cli53).
View update_aws.sh
#!/bin/bash
ZONE="example.com"
HOSTNAME="test"
SGROUP="my_security_group"
CURRENT_IP=$(dig @resolver1.opendns.com myip.opendns.com +short)
OLD_IP=$(dig @resolver1.opendns.com $HOSTNAME.$ZONE +short)
if [[ $CURRENT_IP =~ [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ ]] ; then
You can’t perform that action at this time.