This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
input { | |
file { path => ["/var/opt/bro/logs/current/*.log"] type => "bro" } | |
} | |
filter { | |
if [type] == "bro" { | |
bro { } | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Notice tail | |
stdbuf -o0 tail -n+1 -F notice.log \ | |
| stdbuf -o0 bro-cut -d ts note msg \ | |
| awk -F'\t' '{ print "================\n" $1, $2"\n", $3 }' | |
# HTTP Tail | |
stdbuf -o0 tail -n+1 -F http.log \ | |
| stdbuf -o0 bro-cut id.orig_h uri user_agent \ | |
| awk -F'\t' '{ print "=================\n" $1, $2"\n", $3 }' | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This logstash config was created for the Logstash 1.5 beta, but I think should work on 1.4.x | |
# Rename it to .conf, I think. I put .rb for formatting in Gist | |
input { | |
file { | |
path => '/nsm/bro/logs/current/*.log' | |
codec => "json" | |
start_position => "beginning" | |
type => "bro" | |
# The @metadata field is for logstash internal tracking only |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Find all commits from last week since Sunday from current directory | |
find . -name .git -print -exec git --git-dir={} log --branches \ | |
--pretty=format:"%ci|%D|%s%n" --since="$(date -v-1w -v-sun +%F)" \ | |
2>/dev/null \; | grep -B1 -E "^[0-9]{4}" | grep -v -E "^$|--" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Create Fake ethernet interface | |
/sbin/modprobe dummy | |
sudo ip link set dev dummy0 up |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cat /proc/modules | cut -f 1 -d " " | while read module; do \ | |
echo "Module: $module"; \ | |
if [ -d "/sys/module/$module/parameters" ]; then \ | |
ls /sys/module/$module/parameters/ | while read parameter; do \ | |
echo -n "Parameter: $parameter --> "; \ | |
cat /sys/module/$module/parameters/$parameter; \ | |
done; \ | |
fi; \ | |
echo; \ | |
done |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
(cat files.log | grep EXTRACT | jbro | jq --slurp 'sort_by(.missing_bytes) | .[].conn_uids ' | jq --slurp 'flatten | unique | join("|") ' > /tmp/side.fifo & ); while read line </tmp/side.fifo; do cat conn.log | grep -E $line; break; done; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Build Bro from Source on Fedora 22 | |
## Install runtime dependencies - These will be needed once the RPM is built | |
sudo dnf -y install libpcap openssl-libs bind-libs zlib bash python libcurl gawk GeoIP gperftools-libs | |
## Install the build dependencies | |
sudo dnf -y install @development-tools libpcap-devel openssl-devel bind-devel zlib-devel cmake git perl libcurl-devel GeoIP-devel python-devel gperftools-devel swig flex bison rpmdevtools gcc-c++ | |
## Checkout code and build RPMs | |
git clone git://git.bro.org/bro |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Enable EPEL | |
sudo yum -y install epel-release | |
# Install run-time deps | |
sudo yum -y install libpcap openssl bind-libs zlib bash python libcurl gawk GeoIP gperftools-libs | |
# Install compile-time deps | |
sudo yum -y install @development libpcap-devel openssl-devel bind-devel zlib-devel cmake git perl libcurl-devel GeoIP-devel python-devel gperftools-devel swig flex bison rpmdevtools gcc-c++ | |
# Clone git repo (this is from Vagrant) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Notice tail | |
stdbuf -o0 tail -n+1 -F notice.log \ | |
| stdbuf -o0 bro-cut -d ts note msg \ | |
| awk -F'\t' '{ print "================\n" $1, $2"\n", $3 }' | |
# HTTP Tail | |
stdbuf -o0 tail -n+1 -F http.log \ | |
| stdbuf -o0 bro-cut id.orig_h uri user_agent \ | |
| awk -F'\t' '{ print "=================\n" $1, $2"\n", $3 }' |