I hereby claim:
- I am Kvetch on github.
- I am kvetch (https://keybase.io/kvetch) on keybase.
- I have a public key whose fingerprint is A04E F86F 18E5 CFCB 233B 356C F334 F490 363B 5A0F
To claim this, I am signing this object:
Nick B Kvetch
Kvetch
/ ELK-Bro.json
Created
May 9, 2017 03:04
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| input { | |
| file { | |
| type => "bro_logs" | |
| path => "/Analysis/Pcaps/*.log" | |
| start_position => beginning | |
| codec => json | |
| sincedb_path => "/var/log/.bro_sincedb" | |
| } | |
| } |
Kvetch
/ Bro_JSON_config_steps.txt
Created
May 9, 2017 02:43
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Under bro/share/bro/site/local.bro | |
| add @tuning/json-logs | |
| No.bro extension from the policy file | |
| run broctl config | |
| run broctl install | |
| bro -r faf-exercise.pcap | |
| OR |
Kvetch
/ ELK-Beats.json
Created
May 9, 2017 02:23
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| input { | |
| beats { | |
| port => 5044 | |
| } | |
| } | |
| output { | |
| elasticsearch { | |
| hosts => ["http://localhost:9200"] | |
| index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}" |
Kvetch
/ SysmonBeats_Procmon_Bro-ELK.json
Created
May 9, 2017 02:07
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| input { | |
| beats { | |
| type => "beats" | |
| port => 5044 | |
| #codec => json | |
| } | |
| file { | |
| type => "procmon" | |
| ############ CHANGE ################### | |
| path => "/ELK/Analysis/LogFile.CSV" |
Kvetch
/ Procmon-XML.json
Created
May 9, 2017 02:04
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| input { | |
| file { | |
| path => "/Somedir/Output/Logfile.XML" | |
| start_position => beginning | |
| sincedb_path => "/dev/null" | |
| codec => multiline { | |
| pattern => "(<process>|<event>)" | |
| negate => "true" | |
| what => "previous" | |
| auto_flush_interval => 1 |
Kvetch
/ Redemptio.ps1
Created
May 9, 2017 01:58
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #REQUIRES -Version 2.0 | |
| <# | |
| .SYNOPSIS | |
| A brief description of the function or script. This keyword can be used | |
| only once in each topic. | |
| .DESCRIPTION | |
| A detailed description of the function or script. This keyword can be | |
| used only once in each topic. | |
| .PARAMETER Name |
Kvetch
/ XOR-decode.py
Created
May 9, 2017 01:56
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python2 | |
| # 6 bytes | |
| inputfile = open('BlahBlahBlah', 'rb') | |
| outputfile = open('output','w+b') | |
| decode = [0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA] | |
| counter = 0 | |
| byte = inputfile.read(1) | |
| while byte != "": | |
| #print byte |
Kvetch
/ analysis-test.conf
Last active
May 9, 2017 02:05
Logstash Conf for Bro, Procmon (csv export) and Beats (winlogbeat + sysmon and packetbeat)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| input { | |
| beats { | |
| type => "beats" | |
| port => 5044 | |
| #codec => json | |
| } | |
| file { | |
| type => "procmon" | |
| ############ CHANGE ################### | |
| path => "/blahblahblah/LogFile.CSV" |
Kvetch
/ keybase.md
Created
March 27, 2016 16:01
Kvetch
/ keybase.md.old
Last active
March 27, 2016 16:01
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### Keybase proof | |
| I hereby claim: | |
| * I am Kvetch on github. | |
| * I am baronian (https://keybase.io/baronian) on keybase. | |
| * I have a public key whose fingerprint is EF6C A608 A979 F11B 0C5A 9526 B89D F047 2672 EF84 | |
| To claim this, I am signing this object: |