Skip to content

Instantly share code, notes, and snippets.

View 13Cubed's full-sized avatar

Richard Davis 13Cubed

View GitHub Profile
@13Cubed
13Cubed / audit-tool.py
Created January 27, 2016 18:42
A simple file comparison utility written in Python.
#!/usr/bin/python
# audit-tool.py 2.0 - A simple file comparison utility.
# Copyright 2014 13Cubed. All rights reserved. Written by: Richard Davis
import sys
def compareFiles(filename1, filename2, ignorecase, bidirectional):
"""
Given two filenames and an ignorecase booelean, compares filename1
against filename2 and returns list of the differences and a count of
@13Cubed
13Cubed / ossec-installer.sh
Last active January 27, 2016 18:43
OSSEC HIDS agent installation script for RHEL/CentOS.
#!/bin/bash
# This script simplifies the installation of the OSSEC HIDS Agent for RHEL/CentOS boxes.
# Are we running is root?
if [ $(id -u) -ne 0 ]; then
echo
echo "This script must be run as root!"
echo
exit;
fi
@13Cubed
13Cubed / service
Created February 20, 2016 04:24
This template can be used to create a service script for Red Hat Enterprise Linux. It will enable you to use “service myservice start”, “service myservice stop”, or “service myservice status” to control a particular process.
#!/bin/bash
# Replace myservice with your service name. Insert commands where noted.
# chkconfig: - 99 00
# Source function library.
. /etc/rc.d/init.d/functions
case "$1" in
start)
echo -n "Starting myservice"
@13Cubed
13Cubed / checklog.py
Created February 20, 2016 04:26
Use RegEx (Regular Expressions) to search through files for specific text.
#!/usr/bin/python
import sys
import re
def ParseLog(filename, search_string):
try:
f = open(filename, 'rU')
except IOError:
print '\n*** I/O Error: Can\'t read file', filename, '***\n'
@13Cubed
13Cubed / iptohex.py
Created February 20, 2016 04:26
Convert IPv4 decimal (base 10) addresses to hex (base 16). Useful for 6to4 tunnel configs.
#!/usr/bin/python
import sys
import re
def DecToHex(dec_ip):
dec_octets = str.split(dec_ip, '.')
hex_octets = []
if len(dec_octets) != 4:
@13Cubed
13Cubed / bashrc
Last active February 26, 2016 15:12
Custom bash prompt. Can be placed in /etc/bashrc (or /etc/bash.bashrc).
# If this is an interactive shell, customize the prompt
if [[ $- == *i* ]]; then
echo
if [ $(id -u) -eq 0 ]; then # Root user prompt
PS1="\[\033[38;5;31m\][\[$(tput sgr0)\]\[\033[38;5;166m\]\u\[$(tput sgr0)\]\[\033[38;5;31m\]@\h\[$(tput sgr0)\]\[\033[38;5;15m\] \[$(tput sgr0)\]\[\033[38;5;34m\]\W\[$(tput sgr0)\]\[\033[38;5;31m\]]\[$(tput sgr0)\]\[\033[38;5;15m\]\\$ \[$(tput sgr0)\]"
else # Normal user prompt
PS1="\[\033[38;5;31m\][\[$(tput sgr0)\]\[\033[38;5;99m\]\u\[$(tput sgr0)\]\[\033[38;5;31m\]@\h\[$(tput sgr0)\]\[\033[38;5;15m\] \[$(tput sgr0)\]\[\033[38;5;34m\]\W\[$(tput sgr0)\]\[\033[38;5;31m\]]\[$(tput sgr0)\]\[\033[38;5;15m\]\\$ \[$(tput sgr0)\]"
fi
fi
@13Cubed
13Cubed / checknet.sh
Last active January 23, 2017 11:29
A simple Bash script to monitor a remote address and send an email when it goes down.
#!/bin/bash
# If the file that holds the flag doesn't exist, create it with default of 0
if [ ! -f /tmp/checknet.tmp ]
then
echo 0 > /tmp/checknet.tmp
fi
target=TARGET_GOES_HERE
@13Cubed
13Cubed / ticketbleed.go
Last active February 9, 2017 14:27 — forked from FiloSottile/ticketbleed.go
Check for Ticketbleed (CVE-2016-9244) vulnerability.
package main
import (
"crypto/tls"
"fmt"
"log"
"strings"
"os"
)
@13Cubed
13Cubed / dns-sniffer.service
Last active March 1, 2017 20:26
A systemd service file that calls dns-sniffer.sh.
[Unit]
Description=DNS Sniffer
[Service]
User=[USERNAME_HERE]
ExecStart=/usr/local/bin/dns-sniffer.sh
[Install]
WantedBy=multi-user.target
@13Cubed
13Cubed / dns-analyzer.sh
Last active March 2, 2017 16:20
A Bash script to parse DNS PCAPs with tshark and write space-delimited values to a log file (useful for SIEM ingestion). This script ensures a given PCAP is not in use (via fuser) prior to analyzing and moving the file.
#!/bin/bash
# Note: Do not run this script as root. Allow the standard user under which it runs the ability to execute /bin/fuser without entering credentials.
# Example: username ALL = (root) NOPASSWD: /bin/fuser
cd /capture
for file in dns*.pcap;
do
if ! sudo fuser -s $file; then
/usr/bin/tshark -n -t ad -r $file | awk '{ if ($10 !="query") print $2, $3, "ERROR: " $0; else if ($11 == "response") print $2, $3, $12, "R", $4, $6, substr($0, index($0,$13)); else print $2, $3, $11, "Q", $4, $6, $12, $13, $14 }' 1>>/var/log/dns/query.log 2>/dev/null;
mv $file /capture/processed/$file
fi