Derek Ditch dcode

## bro.conf
input {
  file { path => ["/var/opt/bro/logs/current/*.log"] type => "bro"  }
}

filter {
  if [type] == "bro" {
    bro { }
  }

}

## gist:c5e748b0c60ba539a1c8
# Notice tail
stdbuf -o0 tail -n+1 -F notice.log \
	| stdbuf -o0 bro-cut -d ts note msg \
	| awk -F'\t' '{ print "================\n" $1, $2"\n", $3 }'

# HTTP Tail
stdbuf -o0 tail -n+1 -F http.log \
	| stdbuf -o0 bro-cut id.orig_h uri user_agent \
	| awk -F'\t' '{ print "=================\n" $1, $2"\n", $3 }'


## bro-es.rb
# This logstash config was created for the Logstash 1.5 beta, but I think should work on 1.4.x
# Rename it to .conf, I think. I put .rb for formatting in Gist
input {
  file {
    path => '/nsm/bro/logs/current/*.log'
    codec => "json"
    start_position => "beginning"
    type => "bro"

    # The @metadata field is for logstash internal tracking only

## gist:949ad498441b176bf684
# Find all commits from last week since Sunday from current directory

find . -name .git -print -exec git --git-dir={} log --branches  \
  --pretty=format:"%ci|%D|%s%n" --since="$(date -v-1w -v-sun +%F)" \
  2>/dev/null \; | grep -B1 -E "^[0-9]{4}" | grep -v -E "^$|--"

## gist:05b9e941df678a2fe0a7
# Create Fake ethernet interface

/sbin/modprobe dummy
sudo ip link set dev dummy0 up

## gist:ceeb4d577fe0d2293825
cat /proc/modules | cut -f 1 -d " " | while read module; do \
 echo "Module: $module"; \
 if [ -d "/sys/module/$module/parameters" ]; then \
  ls /sys/module/$module/parameters/ | while read parameter; do \
   echo -n "Parameter: $parameter --> "; \
   cat /sys/module/$module/parameters/$parameter; \
  done; \
 fi; \
 echo; \
done

## pipe_magic.sh
(cat files.log | grep EXTRACT | jbro | jq --slurp 'sort_by(.missing_bytes) | .[].conn_uids ' | jq --slurp 'flatten | unique | join("|") ' > /tmp/side.fifo & ); while read line </tmp/side.fifo; do cat conn.log | grep -E $line; break; done;

## build_bro_f22.sh
# Build Bro from Source on Fedora 22

## Install runtime dependencies - These will be needed once the RPM is built
sudo dnf -y install libpcap openssl-libs bind-libs zlib bash python libcurl gawk GeoIP gperftools-libs

## Install the build dependencies
sudo dnf -y install @development-tools libpcap-devel openssl-devel bind-devel zlib-devel cmake git perl libcurl-devel GeoIP-devel python-devel gperftools-devel swig flex bison rpmdevtools gcc-c++

## Checkout code and build RPMs
git clone git://git.bro.org/bro

## build_bro-2.3_EL6.sh
# Enable EPEL
sudo yum -y install epel-release

# Install run-time deps
sudo yum -y install libpcap openssl bind-libs zlib bash python libcurl gawk GeoIP gperftools-libs

# Install compile-time deps
sudo yum -y install @development libpcap-devel openssl-devel bind-devel zlib-devel cmake git perl libcurl-devel GeoIP-devel python-devel gperftools-devel swig flex bison rpmdevtools gcc-c++

# Clone git repo (this is from Vagrant)

## filtered_bro_log_following.sh

# Notice tail
stdbuf -o0 tail -n+1 -F notice.log \
	| stdbuf -o0 bro-cut -d ts note msg \
	| awk -F'\t' '{ print "================\n" $1, $2"\n", $3 }'

# HTTP Tail
stdbuf -o0 tail -n+1 -F http.log \
	| stdbuf -o0 bro-cut id.orig_h uri user_agent \
	| awk -F'\t' '{ print "=================\n" $1, $2"\n", $3 }'
	input {
	file { path => ["/var/opt/bro/logs/current/*.log"] type => "bro" }
	}

	filter {
	if [type] == "bro" {
	bro { }
	}

	}
	# Notice tail
	stdbuf -o0 tail -n+1 -F notice.log \
	\| stdbuf -o0 bro-cut -d ts note msg \
	\| awk -F'\t' '{ print "================\n" $1, $2"\n", $3 }'

	# HTTP Tail
	stdbuf -o0 tail -n+1 -F http.log \
	\| stdbuf -o0 bro-cut id.orig_h uri user_agent \
	\| awk -F'\t' '{ print "=================\n" $1, $2"\n", $3 }'
	# This logstash config was created for the Logstash 1.5 beta, but I think should work on 1.4.x
	# Rename it to .conf, I think. I put .rb for formatting in Gist
	input {
	file {
	path => '/nsm/bro/logs/current/*.log'
	codec => "json"
	start_position => "beginning"
	type => "bro"

	# The @metadata field is for logstash internal tracking only
	# Find all commits from last week since Sunday from current directory

	find . -name .git -print -exec git --git-dir={} log --branches \
	--pretty=format:"%ci\|%D\|%s%n" --since="$(date -v-1w -v-sun +%F)" \
	2>/dev/null \; \| grep -B1 -E "^[0-9]{4}" \| grep -v -E "^$\|--"
	# Create Fake ethernet interface

	/sbin/modprobe dummy
	sudo ip link set dev dummy0 up
	cat /proc/modules \| cut -f 1 -d " " \| while read module; do \
	echo "Module: $module"; \
	if [ -d "/sys/module/$module/parameters" ]; then \
	ls /sys/module/$module/parameters/ \| while read parameter; do \
	echo -n "Parameter: $parameter --> "; \
	cat /sys/module/$module/parameters/$parameter; \
	done; \
	fi; \
	echo; \
	done
	# Build Bro from Source on Fedora 22

	## Install runtime dependencies - These will be needed once the RPM is built
	sudo dnf -y install libpcap openssl-libs bind-libs zlib bash python libcurl gawk GeoIP gperftools-libs

	## Install the build dependencies
	sudo dnf -y install @development-tools libpcap-devel openssl-devel bind-devel zlib-devel cmake git perl libcurl-devel GeoIP-devel python-devel gperftools-devel swig flex bison rpmdevtools gcc-c++

	## Checkout code and build RPMs
	git clone git://git.bro.org/bro
	# Enable EPEL
	sudo yum -y install epel-release

	# Install run-time deps
	sudo yum -y install libpcap openssl bind-libs zlib bash python libcurl gawk GeoIP gperftools-libs

	# Install compile-time deps
	sudo yum -y install @development libpcap-devel openssl-devel bind-devel zlib-devel cmake git perl libcurl-devel GeoIP-devel python-devel gperftools-devel swig flex bison rpmdevtools gcc-c++

	# Clone git repo (this is from Vagrant)