Skip to content

Instantly share code, notes, and snippets.

View J-Gras's full-sized avatar

Jan J-Gras

32 followers · 2 following
  • Germany
View GitHub Profile
@J-Gras
J-Gras / dpd-analysis.zeek
Last active October 16, 2019 14:49
Separate log for DPD speculative service.
module DPDAnalysis;
export {
redef enum Log::ID += { LOG };
type Info: record {
ts: time &log;
uid: string &log;
orig_p: port &log;
resp_p: port &log;
@J-Gras
J-Gras / toggleHTML.js
Created January 22, 2019 17:45
Toggles between plaintext and sanitized HTML view in Thunderbird.
var pref = Components.classes['@mozilla.org/preferences-service;1'].getService(Components.interfaces.nsIPrefBranch);
if(pref.getBoolPref("mailnews.display.prefer_plaintext")){
MsgBodyAllowHTML();
pref.setIntPref('mailnews.display.html_as', 3);
}else
MsgBodyAsPlaintext();
@J-Gras
J-Gras / bro-view.sh
Last active May 9, 2018 08:47
Small script to view Bro log files.
#!/bin/sh
if echo "$1" | grep -q ".log.gz$"; then
CAT="zcat"
else
CAT="cat"
fi
$CAT $1 | bro-cut -dc $2 | sed -e 's/^#fields\t/#fields:/; s/^#types\t/#types:/' | column -t -s $'\t' | less -S
@J-Gras
J-Gras / intel-framework-update.md
Last active September 12, 2016 13:40
Blog post about the Intelligence Framework update.

The Intelligence Framework Update

Recently Bro's intelligence framework was refactored and extended with a couple of new features. This post will discuss the updates and tries to clear some of the backgrounds that turned out to be common pitfalls in the past.

The Intelligence Framework Data Model

Understanding the intel framework's data model is the key for exploiting its full potential, so let's have a closer look: The core of an intelligence datum is the indicator (also indicator of compromise, IoC), e.g. an IP, hash or domain name (for a list of available types see Bro's script reference). The indicator can be enriched by meta data of different kinds, e.g. a description, url or severity level. The same indicator can be obtained from different intelligence sources, providing different meta data. Thus in Bro's intelligence framework, a plain indicator can be described by multiple meta data records. A meta data

@J-Gras
J-Gras / first_pkt_src.bro
Created July 25, 2016 18:49
Logging of first packet's source IP.
# Adds first packet's source IP to conn.log.
redef record connection += {
first_pkt_src: addr &optional;
};
redef record Conn::Info += {
## Source address of the first packet.
first_pkt_src: addr &optional &log;
};
@J-Gras
J-Gras / expire_test.bro
Created April 6, 2016 12:35
Example script to demonstrate the per item expire issue.
@load base/frameworks/communication
redef exit_only_after_terminate = T;
redef table_expire_interval = 1sec;
global start_time: time;
function time_past(): interval
{
@J-Gras
J-Gras / add-json.bro
Last active February 6, 2020 16:54
Additional JSON logging for Bro.
##! Additional JSON-logging for Bro.
module Log;
export {
## Enables JSON-logfiles for all active streams
const enable_all_json = T &redef;
## Streams not to generate JSON-logfiles for
const exclude_json: set[Log::ID] = { } &redef;
## Streams to generate JSON-logfiles for
@J-Gras
J-Gras / do_notice.bro
Last active March 29, 2016 15:35
Extends the original do_notice.bro to add an identifier to the notices.
# Extends the original script to add an identifier to the notices.
# Jan Grashoefer (jan.grashoefer@gmail.com)
# Original script is shipped with Bro.
@load base/frameworks/intel
@load base/frameworks/notice
module Intel;
export {
@J-Gras
J-Gras / AF_Packet-TODOs.txt
Last active October 27, 2015 18:14
Open TODOs for the Bro AF_Packet plugin.
- Fix initialization of stats.
- Investiagte why the preferred way of setting the device into PROMISC causes checksum issues
(see http://man7.org/linux/man-pages/man7/packet.7.html).
- Investigate performance impact of other block sizes.
- Investigate the use of hugepages and sanity checks for page size.