Skip to content

Instantly share code, notes, and snippets.

Avatar

Andrew Kroh andrewkroh

View GitHub Profile
@andrewkroh
andrewkroh / msobjs.c
Created Jul 23, 2019
Extact the msobjs.dll message table
View msobjs.c
#include <windows.h>
#include <stdio.h>
int ProcessBlock(MESSAGE_RESOURCE_DATA* data, MESSAGE_RESOURCE_BLOCK* block)
{
MESSAGE_RESOURCE_ENTRY* entry = (MESSAGE_RESOURCE_ENTRY*) ((unsigned char*)data + block->OffsetToEntries);
for (DWORD id = block->LowId; id <= block->HighId; id++)
{
if (entry->Flags == 0x0001) // wide char
printf("%d, %ls", id, entry->Text);
@andrewkroh
andrewkroh / filebeat-cisco-ios.js
Created Feb 26, 2019
Javascript Processor Example
View filebeat-cisco-ios.js
var processor = require("processor");
var filebeatCisco = (function() {
var parseCiscoHeader = new processor.Dissect({
"tokenizer": "%{}%%{cisco.log.facility}-%{cisco.log.severity}-%{event.code}: %{message}",
"field": "log.original",
"target_prefix": "",
}).Run;
var coerceDataTypes = new processor.Transform([
@andrewkroh
andrewkroh / geoip-asn-pipeline.json
Created Feb 21, 2019
Ingest Node GeoIP and ASN
View geoip-asn-pipeline.json
{
"description": "Add Geo and ASN to event",
"processors": [
{
"geoip": {
"if": "ctx.source?.geo == null",
"field": "source.ip",
"target_field": "source.geo",
"ignore_missing": true
}
@andrewkroh
andrewkroh / event1.json
Last active Oct 2, 2020
Winlogbeat - Sysmon Processing for ECS (Elastic Common Schema)
View event1.json
{
"@timestamp": "2019-01-29T19:10:47.538Z",
"beat": {
"hostname": "DESKTOP",
"name": "DESKTOP",
"version": "6.3.2"
},
"event": {
"kind": "event"
},
@andrewkroh
andrewkroh / winlogbeat_testing.md
Last active Jan 25, 2019
Winlogbeat Development
View winlogbeat_testing.md

Winlogbeat Development

Start a Windows VM

vagrant up win2012

Login Options

You can connect to the VM in multiple ways.

@andrewkroh
andrewkroh / elastic-beat-development-101.md
Last active Jan 14, 2022
Elastic Beat Development 101
View elastic-beat-development-101.md

Elastic Beats Development 101

This is a short guide to get up and building Elastic Beats on a new Linux host.

Start a VM

This uses Google Compute Engine (GCE) to start an Ubuntu 20.04 virtual machine. You can use other versions of Linux or different virtualization platforms (or no virtualization), but those are not guaranteed to work with the commands here.

 gcloud auth login
@andrewkroh
andrewkroh / packetbeat-tls-event.json
Created Aug 1, 2018
Packetbeat TLS Event Example
View packetbeat-tls-event.json
{
"@metadata": {
"beat": "packetbeat",
"type": "doc",
"version": "7.0.0-alpha1"
},
"@timestamp": "2018-08-01T18:10:48.311Z",
"beat": {
"hostname": "macbook",
"name": "macbook",
@andrewkroh
andrewkroh / packetbeat-dhcpv4-nak-decline.json
Last active Jul 26, 2018
New DHCP Client Detected on Network - Elasticsearch Alerting Watch
View packetbeat-dhcpv4-nak-decline.json
POST _xpack/watcher/watch/packetbeat-dhcpv4-nak-decline
{
"metadata": {
"window_period": "1m",
"index_pattern": "packetbeat-*"
},
"trigger": {
"schedule": {
"interval": "1m"
}
@andrewkroh
andrewkroh / Slack Notification
Last active Jul 8, 2018
Heartbeat ICMP Alerting with Elastic X-Pack Watcher
View Slack Notification
https://twitter.com/Krohbird/status/849749788920877056
@andrewkroh
andrewkroh / auditbeat-seccom-x86_64.yml
Last active Apr 23, 2018
Elastic Beat Seccomp Profiles
View auditbeat-seccom-x86_64.yml
seccomp:
default_action: errno
syscalls:
- names:
- accept
- accept4
- arch_prctl
- bind
- brk
- clone