This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # encoding: utf-8 # *NOTE*: I have no idea what I'm doing and this is untested. Use at your own risk | |
| # (though I welcome assistance) | |
| require "logstash/filters/base" | |
| require "logstash/namespace" | |
| require "csv" | |
| require "bigdecimal" | |
| # The Bro filter takes an event field containing Bro log data, parses it, |
dcode
/ brocolor.sh
Last active
August 29, 2015 14:06
— forked from jeffgeiger/brocolor.sh
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| cat $1 | sed 's/#fields\t\|#types\t//g' | grep -v "^#" | awk 'BEGIN {FS="\t"; OFS=FS};{for(i=1;i<=NF;i++) printf("\x1b[%sm%s\x1b[0m%s",(i%7)+31,$i,OFS); print ""}' |
dcode
/ Attempt at File Extraction Policy
Created
September 4, 2014 03:01
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| global ext_map: table[string] of string = { | |
| ["application/x-dosexec"] = "exe", | |
| ["text/plain"] = "txt", | |
| ["image/jpeg"] = "jpg", | |
| ["image/png"] = "png", | |
| ["text/html"] = "html", | |
| } &default =""; | |
| event file_new(f: fa_file) | |
| { |
dcode
/ build_bro_nightly.sh
Last active
July 25, 2019 04:33
Build Bro nightly & bro-plugins on CentOS 7.x
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Build Bro from Source on CentOS 7 | |
| ## Install EPEL | |
| sudo yum -y install epel-release | |
| ## Install runtime dependencies - These will be needed once the RPM is built | |
| sudo yum -y install libpcap openssl-libs bind-libs zlib bash python libcurl gawk GeoIP jemalloc | |
| ## Install the build dependencies | |
| sudo yum -y install @development libpcap-devel openssl-devel bind-devel zlib-devel cmake git perl libcurl-devel GeoIP-devel python-devel jemalloc-devel swig rpmdevtools |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Convert RHEL7 to CentOS7 | |
| mkdir TMP | |
| yum remove rhnlib abrt-plugin-bugzilla redhat-release-notes* | |
| rpm -e --nodeps redhat-release* redhat-indexhtml | |
| rm -rf /usr/share/doc/redhat-release* | |
| cd TMP | |
| curl -O http://mirror.centos.org/centos/7/os/x86_64/Packages/centos-release-7-0.1406.el7.centos.2.3.x86_64.rpm -O http://mirror.centos.org/centos/7/os/x86_64/Packages/centos-indexhtml-7-9.el7.centos.noarch.rpm -O http://mirror.centos.org/centos/7/os/x86_64/Packages/yum-3.4.3-118.el7.centos.noarch.rpm -O http://mirror.centos.org/centos/7/os/x86_64/Packages/yum-plugin-fastestmirror-1.1.31-24.el7.noarch.rpm |
dcode
/ gist:66343a641c0f3caf122d
Created
August 10, 2014 18:48
Download the Java 8 64-bit RPM using curl (which more commonly installed over wget)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| curl --location --remote-name --remote-header-name --cookie "oraclelicense=accept-securebackup-cookie" http://download.oracle.com/otn-pub/java/jdk/8u11-b12/jre-8u11-linux-x64.rpm |
dcode
/ gist:d7f19f519bfe9ff8ce5d
Last active
August 29, 2015 14:05
Shell snippet. Takes output from bro2json.py and creates an array of JSON objects grouped by uid and id fields
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This more or less just shows the format of the log data on input. | |
| zcat bro2jsondata.json.gz| sed 's/id\./id_/g' | ./json -g | jq '[ map(select(.uid and .uid != "-" )) | group_by(.uid) | .[0] ]' | |
| [ | |
| [ | |
| { | |
| "type": "conn", | |
| "id_orig_h": "10.10.10.17", | |
| "resp_ip_bytes": "0", | |
| "ts": "1384833674.270877", |
dcode
/ bro2json.py
Last active
August 29, 2016 21:12
bro2json.py: This is a Python 3 version that assumes utf-8 encoding.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import csv, gzip, json, itertools | |
| class BroDictReader: | |
| def __init__(self, filename, comment="#"): | |
| self.comment = comment | |
| self.gzfile = gzip.open(filename, mode='rt', encoding='utf-8') | |
| self.fields = None | |
| self.path = None |
dcode
/ bro2json.py
Created
August 8, 2014 00:53
Quick script to take a gzip'd bro log (arg #1) and make it into a gzip'd JSON document (arg #2). Minimal error checking.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import csv, gzip, json, itertools | |
| class BroDictReader: | |
| def __init__(self, filename, comment="#"): | |
| self.comment = comment | |
| self.gzfile = gzip.open(filename, mode='r') | |
| self.fields = None | |
| self.path = None | |
| self.seperator = None |
dcode
/ gist:f879a62574e94a2265ae
Created
May 4, 2014 22:49
— forked from cr0t/gist:1243431
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| object Download extends Controller { | |
| import org.apache.commons.logging.Log | |
| import org.apache.hadoop.conf.Configuration | |
| import org.apache.hadoop.fs._ | |
| import java.io.InputStream | |
| import java.net.URI | |
| import java.net.URLDecoder | |
| def download(filename: String) = { |