Skip to content

Instantly share code, notes, and snippets.

Avatar

Nick B Kvetch

View GitHub Profile
View ELK-Bro.json
input {
file {
type => "bro_logs"
path => "/Analysis/Pcaps/*.log"
start_position => beginning
codec => json
sincedb_path => "/var/log/.bro_sincedb"
}
}
View Bro_JSON_config_steps.txt
Under bro/share/bro/site/local.bro
add @tuning/json-logs
No.bro extension from the policy file
run broctl config
run broctl install
bro -r faf-exercise.pcap
OR
View ELK-Beats.json
input {
beats {
port => 5044
}
}
output {
elasticsearch {
hosts => ["http://localhost:9200"]
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
View SysmonBeats_Procmon_Bro-ELK.json
input {
beats {
type => "beats"
port => 5044
#codec => json
}
file {
type => "procmon"
############ CHANGE ###################
path => "/ELK/Analysis/LogFile.CSV"
View Procmon-XML.json
input {
file {
path => "/Somedir/Output/Logfile.XML"
start_position => beginning
sincedb_path => "/dev/null"
codec => multiline {
pattern => "(<process>|<event>)"
negate => "true"
what => "previous"
auto_flush_interval => 1
View Redemptio.ps1
#REQUIRES -Version 2.0
<#
.SYNOPSIS
A brief description of the function or script. This keyword can be used
only once in each topic.
.DESCRIPTION
A detailed description of the function or script. This keyword can be
used only once in each topic.
.PARAMETER Name
View XOR-decode.py
#!/usr/bin/env python2
# 6 bytes
inputfile = open('BlahBlahBlah', 'rb')
outputfile = open('output','w+b')
decode = [0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA]
counter = 0
byte = inputfile.read(1)
while byte != "":
#print byte
@Kvetch
Kvetch / analysis-test.conf
Last active May 9, 2017
Logstash Conf for Bro, Procmon (csv export) and Beats (winlogbeat + sysmon and packetbeat)
View analysis-test.conf
input {
beats {
type => "beats"
port => 5044
#codec => json
}
file {
type => "procmon"
############ CHANGE ###################
path => "/blahblahblah/LogFile.CSV"
View keybase.md

Keybase proof

I hereby claim:

  • I am Kvetch on github.
  • I am kvetch (https://keybase.io/kvetch) on keybase.
  • I have a public key whose fingerprint is A04E F86F 18E5 CFCB 233B 356C F334 F490 363B 5A0F

To claim this, I am signing this object:

View keybase.md.old
### Keybase proof
I hereby claim:
* I am Kvetch on github.
* I am baronian (https://keybase.io/baronian) on keybase.
* I have a public key whose fingerprint is EF6C A608 A979 F11B 0C5A 9526 B89D F047 2672 EF84
To claim this, I am signing this object:
You can’t perform that action at this time.