This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python2 | |
import sys | |
from collections import defaultdict | |
c = defaultdict(int) | |
for line in sys.stdin: | |
c[line] += 1 | |
top = sorted(c.items(), key=lambda (k,v): v) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
event bro_init() | |
{ | |
Log::remove_default_filter(Files::LOG); | |
Log::add_filter(Files::LOG, [ | |
$name = "files-split", | |
$path_func(id: Log::ID, path: string, rec: Files::Info) = { | |
if (rec?$mime_type && rec$mime_type == "application/pkix-cert") | |
return "files_certs"; | |
return "files"; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import sys | |
import csv | |
import subprocess | |
from collections import namedtuple, defaultdict | |
DATA = "zcat /usr/local/bro/logs/*/ssh*z |bro-cut id.orig_h id.resp_h auth_success" | |
Record = namedtuple("Record", "src dst success") | |
Result = namedtuple("Result", "src success failure unknown hosts subnets") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
export { | |
const scan_ports: set[port] = {22/tcp,3389/tcp} &redef; | |
} | |
hook Scan::addr_scan_policy(scanner: addr, victim: addr, scanned_port: port) | |
{ | |
if(scanned_port !in scan_ports) | |
break; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
import sys | |
import re | |
from collections import defaultdict | |
totals = defaultdict(int) | |
host_dropped = {} | |
total_rx = total_drop = 0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
import re | |
import sys | |
regexes = [ | |
"img.*jpg", | |
"baz.*etc", | |
] | |
compiled = [(r, re.compile(r)) for r in regexes] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ver = 2.4.1 | |
all: package | |
source: bro-$(ver).tar.gz | |
unpack: bro-$(ver) | |
deps: deps-stamp | |
deps-stamp: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
import os | |
import sys | |
import time | |
DEFAULT_LOG = "/usr/local/bro/logs/current/conn.log" | |
def config(): | |
print """ | |
graph_category network |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
module RDP; | |
export { | |
redef enum Notice::Type += { | |
BruteforceScan, | |
}; | |
global rdp_scanners_account = /[a-zA-Z]/ &redef ; | |
redef rdp_scanners_account += /NCRACK_USER/ ; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@load base/protocols/http | |
@load base/protocols/ssh | |
event connection_established(c: connection) | |
{ | |
statsd_increment("bro.connection.established", 1); | |
} | |
event connection_rejected(c: connection) | |
{ |