Bradford Dabbs bndabbs

## jqplay-compose.yml
# Clone https://github.com/owenthereal/jqplay and then save this compose file into the cloned directory

version: "3.0"

services:
  jqplay:
    build: .
    restart: always
    environment:
      DATABASE_URL: "postgresql://postgres@db:5432"

## trust-letsencrypt.sh
curl https://letsencrypt.org/certs/isrgrootx1.pem.txt -o isgrootx1.pem
sudo cp isgrootx1.pem /etc/pki/ca-trust/source/anchors/
curl https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt -o lets-encrypt-x3-cross-signed.pem
sudo cp lets-encrypt-x3-cross-signed.pem /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust

## pfsense-logstash.conf
filter {
    grok {
      match => [
        "message", "<%{INT:syslog_pri}>%{SYSLOGTIMESTAMP:timestamp} %{PROG:program}: %{GREEDYDATA:message}"
      ]
      overwrite => [ "message" ]
      add_tag => [ "pfsense" ]
    }

    syslog_pri {}

## pcap-ng_to_libpcap.md

      
              2 files
            
          
              0 forks
            
          
              0 comments
            
          
              1 star
            
          
                bndabbs
                / pcap-ng_to_libpcap.md
            
            
              Last active
              March 7, 2019 00:34
            
              
                pcap-ng to libpcap
              
          
    I recently ran into an issue while replaying some network traffic that was captured as pcap-ng and I wanted to share what I had to do to get things working.
The issue is that the packet capture contained traffic from two NICs, which is supported by pcap-ng, but not pcap. The commands here filter by interface and then convert the individual interface captures into regular pcap.

  
## Cisco
#ASA-1-113039
%{CISCO_TAGGED_SYSLOG} Group <%{DATA:group.name}> User <%{USER:user.name}> IP <%{IP:source.ip}> %{GREEDYDATA:cisco_message}

## bro-diag.json
{
  "order": 10,
  "index_patterns": [
    "bro-diag-*"
  ],
  "mappings": {
    "_doc": {
      "properties": {
          "acks": {
            "type": "long"

## create_users.ps1
Import-Module ActiveDirectory

$password = (Read-Host  -AsSecureString "AccountPassword")
$users = import-csv ".\users.csv"

foreach ($user in $users){
    New-ADUser `
    -SamAccountName ($user.GivenName + "." + $user.Surname).ToLower() `
    -UserPrincipalName (($user.GivenName + "." + $user.Surname).ToLower() + "@" + $env:USERDNSDOMAIN) `
    -DisplayName ($user.GivenName + " " + $user.Surname) `

## logstash6-bro.conf
input {
  kafka {
    topics => ["bro-raw"]
    add_field => { "[@metadata][stage]" => "broraw_kafka" }
    # Set this to one per kafka partition to scale up
    #consumer_threads => 4
    group_id => "bro_logstash"
    bootstrap_servers =>
    codec => json
    auto_offset_reset => "earliest"

## Ansible Primer.md

      
              4 files
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                bndabbs
                / Ansible Primer.md
            
            
              Last active
              October 9, 2017 18:41
            
              
                Ansible Tips
              
          
    If all of these files are in the same directory, you can run the following steps to deploy
Download the roles
ansible-galaxy install -r requirements.yml

Run the deploy playbook
ansible-playbook deploy.yml


## equipment.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                bndabbs
                / equipment.md
            
            
              Last active
              August 4, 2017 13:33
            
              
                ROCK Hardware
              
          
    Compute


Dell precision T7400
2x Xeon E5430 Quad Core
64GB RAM (Upgradeable to 128GB)
2x 500GB 7200RPM SATA
1x 1TB 7200RPM SATA
Intel Gigabit VT Quad Port Server Adapter

https://kansascity.craigslist.org/sys/d/dell-t7400-precision/6238490010.html
	# Clone https://github.com/owenthereal/jqplay and then save this compose file into the cloned directory

	version: "3.0"

	services:
	jqplay:
	build: .
	restart: always
	environment:
	DATABASE_URL: "postgresql://postgres@db:5432"
	curl https://letsencrypt.org/certs/isrgrootx1.pem.txt -o isgrootx1.pem
	sudo cp isgrootx1.pem /etc/pki/ca-trust/source/anchors/
	curl https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt -o lets-encrypt-x3-cross-signed.pem
	sudo cp lets-encrypt-x3-cross-signed.pem /etc/pki/ca-trust/source/anchors/
	sudo update-ca-trust
	filter {
	grok {
	match => [
	"message", "<%{INT:syslog_pri}>%{SYSLOGTIMESTAMP:timestamp} %{PROG:program}: %{GREEDYDATA:message}"
	]
	overwrite => [ "message" ]
	add_tag => [ "pfsense" ]
	}

	syslog_pri {}
	#ASA-1-113039
	%{CISCO_TAGGED_SYSLOG} Group <%{DATA:group.name}> User <%{USER:user.name}> IP <%{IP:source.ip}> %{GREEDYDATA:cisco_message}
	{
	"order": 10,
	"index_patterns": [
	"bro-diag-*"
	],
	"mappings": {
	"_doc": {
	"properties": {
	"acks": {
	"type": "long"
	Import-Module ActiveDirectory

	$password = (Read-Host -AsSecureString "AccountPassword")
	$users = import-csv ".\users.csv"

	foreach ($user in $users){
	New-ADUser `
	-SamAccountName ($user.GivenName + "." + $user.Surname).ToLower() `
	-UserPrincipalName (($user.GivenName + "." + $user.Surname).ToLower() + "@" + $env:USERDNSDOMAIN) `
	-DisplayName ($user.GivenName + " " + $user.Surname) `
	input {
	kafka {
	topics => ["bro-raw"]
	add_field => { "[@metadata][stage]" => "broraw_kafka" }
	# Set this to one per kafka partition to scale up
	#consumer_threads => 4
	group_id => "bro_logstash"
	bootstrap_servers =>
	codec => json
	auto_offset_reset => "earliest"