Skip to content

Instantly share code, notes, and snippets.

View crisroura's full-sized avatar

crisroura

4 followers · 0 following
View GitHub Profile
@crisroura
crisroura / gist:eb75fd5970d583bd8239
Created March 11, 2015 11:02
Bulk parsing of IE10 history files (WebCacheV*.dat) with BrowsingHistoryView
for %i in (D:\webcache_files\*) do BrowsingHistoryView.exe /HistorySource 6 /CustomFiles.IE10Files "%i" /scomma %~ni.csv
@crisroura
crisroura / splunk_xml_evtx
Created June 12, 2014 11:11
How to index Windows EventLogs with Splunk
1. Parse evtx logs with evtxdump.py (https://github.com/williballenthin/python-evtx)
2. Create custom Splunk sourcetype "winevtx":
Edit $SPLUNK_HOME/etc/system/local/props.conf
[winevtx]
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = ^\<Event xmlns=
@crisroura
crisroura / gist:10473454
Created April 11, 2014 14:29
Live detection of client heartbleed attack with tcpdump
Slight modification of tcpdump filter expression included in heartbleed.py script by Riverbed [1][2] to detect live client side heartbleed attacks.
Modified the original filter to detect traffic to a specific client host from any port. Also modified lengths check to 68. For more information about this tcpdump filter take a look at Riverbed blog post [2].
Detection tested with https://reverseheartbleed.com
tcpdump -i <INTERFACE> "((not ether proto 0x8100) and (tcp and dst host <HOST_IP> and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4] = 0x18) and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4 + 1] = 0x03) and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4 + 2] < 0x04) and ((ip[2:2] - 4 * (ip[0] & 0x0F) - 4 * ((tcp[12] & 0xF0) >> 4) > 68)))) or (vlan and (tcp and dst host <HOST_IP> and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4] = 0x18) and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4 + 1] = 0x03) and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4 + 2] < 0x04) and ((ip[2:2] - 4 * (ip[0] & 0x0F) - 4 * ((tcp[12] & 0xF0) >> 4) > 68))))"
Example to detect client heartbleed att