Skip to content

Instantly share code, notes, and snippets.

Jan J-Gras

Block or report user

Report or block J-Gras

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@J-Gras
J-Gras / AF_Packet-TODOs.txt
Last active Oct 27, 2015
Open TODOs for the Bro AF_Packet plugin.
View AF_Packet-TODOs.txt
- Fix initialization of stats.
- Investiagte why the preferred way of setting the device into PROMISC causes checksum issues
(see http://man7.org/linux/man-pages/man7/packet.7.html).
- Investigate performance impact of other block sizes.
- Investigate the use of hugepages and sanity checks for page size.
@J-Gras
J-Gras / do_notice.bro
Last active Mar 29, 2016
Extends the original do_notice.bro to add an identifier to the notices.
View do_notice.bro
# Extends the original script to add an identifier to the notices.
# Jan Grashoefer (jan.grashoefer@gmail.com)
# Original script is shipped with Bro.
@load base/frameworks/intel
@load base/frameworks/notice
module Intel;
export {
@J-Gras
J-Gras / add-json.bro
Last active Feb 6, 2020
Additional JSON logging for Bro.
View add-json.bro
##! Additional JSON-logging for Bro.
module Log;
export {
## Enables JSON-logfiles for all active streams
const enable_all_json = T &redef;
## Streams not to generate JSON-logfiles for
const exclude_json: set[Log::ID] = { } &redef;
## Streams to generate JSON-logfiles for
@J-Gras
J-Gras / expire_test.bro
Created Apr 6, 2016
Example script to demonstrate the per item expire issue.
View expire_test.bro
@load base/frameworks/communication
redef exit_only_after_terminate = T;
redef table_expire_interval = 1sec;
global start_time: time;
function time_past(): interval
{
@J-Gras
J-Gras / first_pkt_src.bro
Created Jul 25, 2016
Logging of first packet's source IP.
View first_pkt_src.bro
# Adds first packet's source IP to conn.log.
redef record connection += {
first_pkt_src: addr &optional;
};
redef record Conn::Info += {
## Source address of the first packet.
first_pkt_src: addr &optional &log;
};
@J-Gras
J-Gras / intel-framework-update.md
Last active Sep 12, 2016
Blog post about the Intelligence Framework update.
View intel-framework-update.md

The Intelligence Framework Update

Recently Bro's intelligence framework was refactored and extended with a couple of new features. This post will discuss the updates and tries to clear some of the backgrounds that turned out to be common pitfalls in the past.

The Intelligence Framework Data Model

Understanding the intel framework's data model is the key for exploiting its full potential, so let's have a closer look: The core of an intelligence datum is the indicator (also indicator of compromise, IoC), e.g. an IP, hash or domain name (for a list of available types see Bro's script reference). The indicator can be enriched by meta data of different kinds, e.g. a description, url or severity level. The same indicator can be obtained from different intelligence sources, providing different meta data. Thus in Bro's intelligence framework, a plain indicator can be described by multiple meta data records. A meta data

@J-Gras
J-Gras / bro-view.sh
Last active May 9, 2018
Small script to view Bro log files.
View bro-view.sh
#!/bin/sh
if echo "$1" | grep -q ".log.gz$"; then
CAT="zcat"
else
CAT="cat"
fi
$CAT $1 | bro-cut -dc $2 | sed -e 's/^#fields\t/#fields:/; s/^#types\t/#types:/' | column -t -s $'\t' | less -S
@J-Gras
J-Gras / toggleHTML.js
Created Jan 22, 2019
Toggles between plaintext and sanitized HTML view in Thunderbird.
View toggleHTML.js
var pref = Components.classes['@mozilla.org/preferences-service;1'].getService(Components.interfaces.nsIPrefBranch);
if(pref.getBoolPref("mailnews.display.prefer_plaintext")){
MsgBodyAllowHTML();
pref.setIntPref('mailnews.display.html_as', 3);
}else
MsgBodyAsPlaintext();
@J-Gras
J-Gras / dpd-analysis.zeek
Last active Oct 16, 2019
Separate log for DPD speculative service.
View dpd-analysis.zeek
module DPDAnalysis;
export {
redef enum Log::ID += { LOG };
type Info: record {
ts: time &log;
uid: string &log;
orig_p: port &log;
resp_p: port &log;
You can’t perform that action at this time.