Skip to content

Instantly share code, notes, and snippets.

@joydragon
joydragon / misp.conf
Created July 30, 2019 03:24
MISP Configuration to use behind NGINX
# MISP WEB SERVER CONFIGURATION
server {
server_name {{server_name}};
listen 443 ssl;
root /var/www/MISP/app/webroot;
index index.php;
access_log /var/log/nginx/misp.access.log;
error_log /var/log/nginx/misp.error.log;
@joydragon
joydragon / nginx_elastic_restricted.conf
Created August 15, 2020 22:24
Archivo para configurar Elasticsearch detrás de NGINX (puerto 19200)
upstream elasticsearch {
server 127.0.0.1:19200;
keepalive 15;
}
server {
listen 9200;
location / {
limit_except GET POST PUT {
@joydragon
joydragon / nginx_kibana.conf
Created August 15, 2020 22:49
Archivo para configurar Kibana detrás de NGINX
upstream kibana {
server 127.0.0.1:5601;
keepalive 15;
}
server {
listen 80 default_server;
server_name _;
location / {
@joydragon
joydragon / mailers.txt
Created December 6, 2020 01:44
Git con IOC de Mailers PHP de correos de Phishing
URIs:
/isma.php
/dug.php
/rss.php
/power2.php
/mm.php
IPs:
45.7.230.59
45.7.230.85
@joydragon
joydragon / check_opentip.py
Last active February 25, 2021 19:01
This is a script to query the Kaspersky OpenTIP, dunno if the "cym9cgwjk" header is going to expire, but you can get it from a normal connection to the platform. And sorry Kaspersky if you don't intend the platform to be used like this, I can remove this content
#!/usr/bin/env python3
# This is a script to query the Kaspersky OpenTIP
# Dunno if the "cym9cgwjk" header is going to expire, but you can get it from a normal connection to the platform.
# And sorry Kaspersky if you don't intend the platform to be used like this, I can remove this content
import requests
import sys
from os import path
cym9cgwjk = "G27TVJWVYdVHJW15auIG0v3ViYJJmqWi7leK4mPw/BgKEAAAAAAAAAAAAAD//y0H5/YSEB4pNeCdtYNFyD9vmrTrDIQY2azN0/su"
@joydragon
joydragon / check_confidence.py
Created March 27, 2021 17:54
This is a script to listen to the ZMQ on your MISP project and validate the confidence level. Article about it on https://wordpress.com/post/finsin.cl/582
#! /usr/bin/env python3
import json
import logging
import zmq
import time
import re
from pymisp import ExpandedPyMISP
####################################
@joydragon
joydragon / detect_strange_msi.yara
Last active November 3, 2021 19:54
Yara de prueba para detectar patrones extraños de campaña de N40/Mekotio en Chile.
rule detect_strange_msi {
meta:
author = "Ricardo Monreal (@joydragon)"
description = "Yara de prueba para detectar patrones extraños de campaña de N40/Mekotio en Chile. Actualizada 2021-11-03"
strings:
// Hex que diga "Fichero", "TGR" o "Arquivo ... cargando" como parte del "Subject"
$bytes_1 = { 03 00 00 00 0a 00 00 00 1e 00 00 00 ?? 00 00 00 46 69 63 68 65 72 6f 00 1e }
$bytes_2 = { 03 00 00 00 0a 00 00 00 1e 00 00 00 ?? 00 00 00 54 47 52 00 1e }
$bytes_3 = { 03 00 00 00 0a 00 00 00 1e 00 00 00 ?? 00 00 00 41 72 71 75 69 76 6f 20 2e 2e 2e 20 63 61 72 67 61 6e 64 6f 00 00 00 00 1e }