Derek Ditch dcode

## reset_root_pw_el7.md

      
              1 file
            
          
              0 forks
            
          
                0 comments
              
            
              0 stars
            
          
                dcode
                / reset_root_pw_el7.md
            
            
              Created
              February 25, 2016 17:43
            
              
                How to reset root password on EL7 hosts.
              
          
    The official training for RHSCA 7 describes the “change root password” procedure as below:
Append “rd.break” to the kernel command line that starts with linux16 (this will break just before control is handed from the initramfs to the actual system) (sometimes it is needed to delete also everything after “…mapper/rhel-root ro” and append here)
mount -o remount,rw /sysroot
chroot /sysroot
passwd
touch /.autorelabel
exit


## a2ps_formatting.sh
a2ps --line-numbers=1 -1 -M letter -o output.ps input.txt

## snort_unified2_output.sh
sudo sed -i'' 's/^# output unified2/output unified2/'  /etc/snort/snort.conf
sudo sed -i'' 's/ALERTMODE/#ALERTMODE/' /etc/sysconfig/snort

## __Use_HTTP_Proxy.md

      
              2 files
            
          
              0 forks
            
          
                0 comments
              
            
              0 stars
            
          
                dcode
                / __Use_HTTP_Proxy.md
            
            
              Created
              January 11, 2016 02:42
            
              
                Use HTTP proxy on Atomic host from 
              
          
    Install tinyproxy

On Mac, install tinyproxy using Homebrew and disable access control (or modify for
your environment), then spawn in foreground
brew install tinyproxy
gsed -i'' 's/^Allow /#Allow /' /usr/local/etc/tinyproxy.conf
tinyproxy -d


## list of default bro analyzers in v2.4.1.txt
Analyzer::ANALYZER_AYIYA
Analyzer::ANALYZER_TEREDO
Analyzer::ANALYZER_GTPV
Analyzer::ANALYZER_DHCP
Analyzer::ANALYZER_DNP
Analyzer::ANALYZER_DNS
Analyzer::ANALYZER_FTP
Analyzer::ANALYZER_HTTP
Analyzer::ANALYZER_IRC
Analyzer::ANALYZER_KRB

## check_interfaces.sh
# Check interface w/ ethtool. Anything not [fixed] should be off
ethtool -k ens1f1

# Check interface errors - previously we had rx_long_length_errors
# which is indicative of too small of an MTU
ethtool -S ens1f1 | grep -i error

# Reset counters to zero to make it easier to assess problems
# Validate driver
ethtool -i ens1f1

## upstall_bro_filter.sh

# Download gem
cd /tmp
curl -L 'https://app.box.com/shared/static/5wf3k4daxmny6o9kfzacihsyrs2tzv0s.gem' -o logstash-filter-bro-0.9.5.gem

# Install plugin
/opt/logstash/bin/plugin install ./logstash-filter-bro-0.9.5.gem

# Restart logstash
service logstash restart

## local.rules
alert udp $HOME_NET any -> any 53 (msg:"DNS request for IDS test domain: purple.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|purple|03|com|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; \ sid:1234567 )

## kafka commands.md

      
              1 file
            
          
              0 forks
            
          
                0 comments
              
            
              2 stars
            
          
                dcode
                / kafka commands.md
            
            
              Last active
              August 19, 2021 15:47
            
              
                Some kafka operations
              
          
    Commands to check various states of Kafka


NOTE: Code blocks indicate input on prompt with a '$'. Everything else is output

Create a new topic

$ /opt/kafka/bin/kafka-topics.sh --topic my_topic --zookeeper localhost:2181 --create --partitions 1 --replication-factor 1
Created topic "my_topic".


## intel-conn-udp-icmp.bro
# Support for UDP, ICMP, and non-established TCP connections in "interesting" cases
# This will only generate Intel matches when a connection is removed from Bro
#
# Interesting cases:
# seen IN_RESP in a failed outbound connection to a known phishing site, useful to know
# seen in IN_RESP in a failed outbound port 22/tcp connection to a known ssh scanner, useful to know
#
# Probably uninteresting:
# seen IN_ORIG in a failed incoming port 22 connection from a known ssh scanner, probably just noise.
#
	sudo sed -i'' 's/^# output unified2/output unified2/' /etc/snort/snort.conf
	sudo sed -i'' 's/ALERTMODE/#ALERTMODE/' /etc/sysconfig/snort
	Analyzer::ANALYZER_AYIYA
	Analyzer::ANALYZER_TEREDO
	Analyzer::ANALYZER_GTPV
	Analyzer::ANALYZER_DHCP
	Analyzer::ANALYZER_DNP
	Analyzer::ANALYZER_DNS
	Analyzer::ANALYZER_FTP
	Analyzer::ANALYZER_HTTP
	Analyzer::ANALYZER_IRC
	Analyzer::ANALYZER_KRB
	# Check interface w/ ethtool. Anything not [fixed] should be off
	ethtool -k ens1f1

	# Check interface errors - previously we had rx_long_length_errors
	# which is indicative of too small of an MTU
	ethtool -S ens1f1 \| grep -i error

	# Reset counters to zero to make it easier to assess problems
	# Validate driver
	ethtool -i ens1f1

	# Download gem
	cd /tmp
	curl -L 'https://app.box.com/shared/static/5wf3k4daxmny6o9kfzacihsyrs2tzv0s.gem' -o logstash-filter-bro-0.9.5.gem

	# Install plugin
	/opt/logstash/bin/plugin install ./logstash-filter-bro-0.9.5.gem

	# Restart logstash
	service logstash restart
	# Support for UDP, ICMP, and non-established TCP connections in "interesting" cases
	# This will only generate Intel matches when a connection is removed from Bro
	#
	# Interesting cases:
	# seen IN_RESP in a failed outbound connection to a known phishing site, useful to know
	# seen in IN_RESP in a failed outbound port 22/tcp connection to a known ssh scanner, useful to know
	#
	# Probably uninteresting:
	# seen IN_ORIG in a failed incoming port 22 connection from a known ssh scanner, probably just noise.
	#