Skip to content

Instantly share code, notes, and snippets.

Nick B Kvetch

Block or report user

Report or block Kvetch

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
View ELK-Bro.json
input {
file {
type => "bro_logs"
path => "/Analysis/Pcaps/*.log"
start_position => beginning
codec => json
sincedb_path => "/var/log/.bro_sincedb"
}
}
View Bro_JSON_config_steps.txt
Under bro/share/bro/site/local.bro
add @tuning/json-logs
No.bro extension from the policy file
run broctl config
run broctl install
bro -r faf-exercise.pcap
OR
View ELK-Beats.json
input {
beats {
port => 5044
}
}
output {
elasticsearch {
hosts => ["http://localhost:9200"]
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
View SysmonBeats_Procmon_Bro-ELK.json
input {
beats {
type => "beats"
port => 5044
#codec => json
}
file {
type => "procmon"
############ CHANGE ###################
path => "/ELK/Analysis/LogFile.CSV"
View Procmon-XML.json
input {
file {
path => "/Somedir/Output/Logfile.XML"
start_position => beginning
sincedb_path => "/dev/null"
codec => multiline {
pattern => "(<process>|<event>)"
negate => "true"
what => "previous"
auto_flush_interval => 1
View Redemptio.ps1
#REQUIRES -Version 2.0
<#
.SYNOPSIS
A brief description of the function or script. This keyword can be used
only once in each topic.
.DESCRIPTION
A detailed description of the function or script. This keyword can be
used only once in each topic.
.PARAMETER Name
View XOR-decode.py
#!/usr/bin/env python2
# 6 bytes
inputfile = open('BlahBlahBlah', 'rb')
outputfile = open('output','w+b')
decode = [0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA]
counter = 0
byte = inputfile.read(1)
while byte != "":
#print byte
@Kvetch
Kvetch / analysis-test.conf
Last active May 9, 2017
Logstash Conf for Bro, Procmon (csv export) and Beats (winlogbeat + sysmon and packetbeat)
View analysis-test.conf
input {
beats {
type => "beats"
port => 5044
#codec => json
}
file {
type => "procmon"
############ CHANGE ###################
path => "/blahblahblah/LogFile.CSV"
View keybase.md

Keybase proof

I hereby claim:

  • I am Kvetch on github.
  • I am kvetch (https://keybase.io/kvetch) on keybase.
  • I have a public key whose fingerprint is A04E F86F 18E5 CFCB 233B 356C F334 F490 363B 5A0F

To claim this, I am signing this object:

View keybase.md.old
### Keybase proof
I hereby claim:
* I am Kvetch on github.
* I am baronian (https://keybase.io/baronian) on keybase.
* I have a public key whose fingerprint is EF6C A608 A979 F11B 0C5A 9526 B89D F047 2672 EF84
To claim this, I am signing this object:
You can’t perform that action at this time.