Justin JustinAzoff
JustinAzoff
/ count.py
Created
November 8, 2016 22:30
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python2 | |
| import sys | |
| from collections import defaultdict | |
| c = defaultdict(int) | |
| for line in sys.stdin: | |
| c[line] += 1 | |
| top = sorted(c.items(), key=lambda (k,v): v) |
JustinAzoff
/ files-split-certs.bro
Created
May 18, 2016 14:42
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| event bro_init() | |
| { | |
| Log::remove_default_filter(Files::LOG); | |
| Log::add_filter(Files::LOG, [ | |
| $name = "files-split", | |
| $path_func(id: Log::ID, path: string, rec: Files::Info) = { | |
| if (rec?$mime_type && rec$mime_type == "application/pkix-cert") | |
| return "files_certs"; | |
| return "files"; | |
| } |
JustinAzoff
/ crunch_bro_ssh.py
Last active
May 12, 2016 17:38
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import sys | |
| import csv | |
| import subprocess | |
| from collections import namedtuple, defaultdict | |
| DATA = "zcat /usr/local/bro/logs/*/ssh*z |bro-cut id.orig_h id.resp_h auth_success" | |
| Record = namedtuple("Record", "src dst success") | |
| Result = namedtuple("Result", "src success failure unknown hosts subnets") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| export { | |
| const scan_ports: set[port] = {22/tcp,3389/tcp} &redef; | |
| } | |
| hook Scan::addr_scan_policy(scanner: addr, victim: addr, scanned_port: port) | |
| { | |
| if(scanned_port !in scan_ports) | |
| break; | |
| } |
JustinAzoff
/ netstats_sum.py
Created
March 3, 2016 18:34
Aggragate netstats output across myricom workers accounting for their misreporting of dropped packets bug.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import sys | |
| import re | |
| from collections import defaultdict | |
| totals = defaultdict(int) | |
| host_dropped = {} | |
| total_rx = total_drop = 0 |
JustinAzoff
/ regex_test.py
Created
February 12, 2016 20:02
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import re | |
| import sys | |
| regexes = [ | |
| "img.*jpg", | |
| "baz.*etc", | |
| ] | |
| compiled = [(r, re.compile(r)) for r in regexes] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ver = 2.4.1 | |
| all: package | |
| source: bro-$(ver).tar.gz | |
| unpack: bro-$(ver) | |
| deps: deps-stamp | |
| deps-stamp: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import os | |
| import sys | |
| import time | |
| DEFAULT_LOG = "/usr/local/bro/logs/current/conn.log" | |
| def config(): | |
| print """ | |
| graph_category network |
JustinAzoff
/ rdp-scanners.bro
Created
January 7, 2016 14:42
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| module RDP; | |
| export { | |
| redef enum Notice::Type += { | |
| BruteforceScan, | |
| }; | |
| global rdp_scanners_account = /[a-zA-Z]/ &redef ; | |
| redef rdp_scanners_account += /NCRACK_USER/ ; |
JustinAzoff
/ statsd_test.bro
Last active
December 21, 2015 13:53
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @load base/protocols/http | |
| @load base/protocols/ssh | |
| event connection_established(c: connection) | |
| { | |
| statsd_increment("bro.connection.established", 1); | |
| } | |
| event connection_rejected(c: connection) | |
| { |