Skip to content

Instantly share code, notes, and snippets.

View LaurenceJJones's full-sized avatar
🦙

Laurence Jones LaurenceJJones

🦙
27 followers · 4 following
View GitHub Profile
@LaurenceJJones
LaurenceJJones / re2_init.sh
Created August 9, 2023 11:15
RE2 compile from source: tested debian
#!/bin/bash
RE2_VERSION=${RE2_VERSION:-2023-03-01}
## Utilities ##
download() {
if [ -z "$1" ]; then
echo "download() requires a URL as first argument"
exit 1
fi
@LaurenceJJones
LaurenceJJones / debian_update_symlinks.sh
Created July 6, 2023 08:41
crowdsec debian symlinks
@LaurenceJJones
LaurenceJJones / crowdsec-lights.sh
Last active June 12, 2023 19:31
crowdsec lights
#!/bin/bash
### Prequesites
## jq curl
###
### Variables
LAPI="http://127.0.0.1:8080"
ORIGINS="crowdsec,cscli" ## Comma separated list of ORIGINS ## Dont include CAPI as capi will flush every 2 hours and will make your lights go wild
API_KEY=""
@LaurenceJJones
LaurenceJJones / go_setup.sh
Last active May 14, 2024 09:51
Script to automatically download golang version
#!/bin/bash
VERSION=${VERSION:-1.22.3}
# Detect OS platform amd64
OS=$(uname -s | tr '[:upper:]' '[:lower:]')
ARCH=$(uname -m | tr '[:upper:]' '[:lower:]')
if [ "$ARCH" = "x86_64" ]; then
ARCH="amd64"
fi
# Detect OS platform arm64
if [ "$ARCH" = "aarch64" ]; then
@LaurenceJJones
LaurenceJJones / init-script.sh
Last active February 29, 2024 10:50
crowdsec init script
#!/bin/bash
##########
## Maintained by Laurence from CrowdSec
## Discord: https://discord.gg/crowdsec
## Website: https://www.crowdsec.net/
## Docs: https://docs.crowdsec.net/
##########
# Linode users can use the UI to change these variables
# Digital ocean users uncomment and change these variables
@LaurenceJJones
LaurenceJJones / chrome-ua-lt-100.yaml
Created April 11, 2023 22:12
Crowdsec scenario detect chrome useragent below 100
type: leaky
format: 2.0
#debug: true
name: example/chrome-under-100
description: "Detect bad user-agents of chrome under version 100"
filter: 'evt.Meta.log_type in ["http_access-log", "http_error-log"] && evt.Parsed.http_user_agent matches "Chrome\\/[0-9][0-9]?\\."'
capacity: 1
leakspeed: 1m
groupby: "evt.Meta.source_ip"
blackhole: 2m
@LaurenceJJones
LaurenceJJones / collection.txt
Last active March 28, 2023 19:40
All collections currently
Dominic-Wagner/vaultwarden `
LePresidente/adguardhome `
LePresidente/authelia `
LePresidente/emby `
LePresidente/gitea `
LePresidente/jellyfin `
LePresidente/jellyseerr `
LePresidente/ombi `
LePresidente/redmine `
a1ad/meshcentral `
@LaurenceJJones
LaurenceJJones / crowdsec_tar.sh
Created March 16, 2023 11:46
Install from crowdsec gt repo
CROWDSEC_GITHUB_RELEASE="github.com/crowdsecurity/crowdsec/releases/download"
CROWDSEC_VERSION="1.4.6"
CROWDSEC_FILE="crowdsec-release-static.tgz"
OLD_DIR=$(pwd)
TMP_DIR=$(mktemp -d)
download() {
if command -v curl >/dev/null; then
cd "$2" || (echo "Could not cd to $2" && exit 1)
# older versions of curl don't support --output-dir
@LaurenceJJones
LaurenceJJones / 00-cri-syslogs.yaml
Created March 15, 2023 12:50
A cri-log s00 for syslog events
filter: "evt.Line.Labels.type == 'containerd' && evt.Line.Labels.program == 'syslog'"
name: crowdsecurity/cri-syslogs
description: CRI logging format parser for syslogs
#debug: true
pattern_syntax:
RAW_SYSLOG_PREFIX: '^<%{NUMBER:stuff1}>%{NUMBER:stuff2} %{SYSLOGBASE2} %{DATA:program} %{NUMBER:pid}'
RAW_SYSLOG_META: '\[meta sequenceId="%{NOTDQUOTE:seq_id}"\]'
nodes:
- grok:
pattern: "^%{TIMESTAMP_ISO8601:cri_timestamp} %{WORD:stream} %{WORD:logtag} %{GREEDYDATA:message}"
@LaurenceJJones
LaurenceJJones / apache2-logs.yaml
Last active January 2, 2023 15:49
nextcloud apache2
#Apache access/errors logs
#debug: true
filter: "evt.Parsed.program startsWith 'apache2'"
onsuccess: next_stage
name: crowdsecurity/apache2-logs
description: "Parse Apache2 access and error logs"
#log line can be prefixed by a target_fqdn
pattern_syntax:
NC_APACHE2: '%{IPORHOST:clientip} %{DATA:forwardedip} %{HTTPDUSER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-)'
nodes: