Skip to content

Instantly share code, notes, and snippets.

Devin W. Hurley dhurley14

View GitHub Profile
View lists-and-exceptions.log
server log [01:11:26.989] [debug][plugins][plugins][securitySolution][securitySolution] totalHits: 4737 name: "Rule w exceptions" id: "239c70da-8640-4964-b7ba-a45cf1528563" rule id: "query-with-exceptions" signals index: ".siem-signals-devin-hurley-default"
server log [01:11:26.989] [debug][plugins][plugins][securitySolution][securitySolution] searchResult.hit.hits.length: 100 name: "Rule w exceptions" id: "239c70da-8640-4964-b7ba-a45cf1528563" rule id: "query-with-exceptions" signals index: ".siem-signals-devin-hurley-default"
server log [01:11:26.990] [debug][plugins][plugins][securitySolution][securitySolution] valuesOfGivenType: [
"71.211.48.72",
"47.34.56.166",
"172.100.214.142",
"67.173.227.94",
"89.12.89.72",
"35.226.77.71",
"35.199.90.14",
View word.log
server log [22:34:34.179] [debug][plugins][plugins][securitySolution][securitySolution] Lists filtered out 33 events name: "Rule w exceptions" id: "239c70da-8640-4964-b7ba-a45cf1528563" rule id: "query-with-exceptions" signals index: ".siem-signals-devin-hurley-default"
server log [22:34:34.661] [debug][plugins][plugins][securitySolution][securitySolution] individual bulk process time took: 474.62 milliseconds
server log [22:34:34.661] [debug][plugins][plugins][securitySolution][securitySolution] took property says bulk took: 45 milliseconds
server log [22:34:34.661] [debug][plugins][plugins][securitySolution][securitySolution] created 67 signals name: "Rule w exceptions" id: "239c70da-8640-4964-b7ba-a45cf1528563" rule id: "query-with-exceptions" signals index: ".siem-signals-devin-hurley-default"
server log [22:34:34.662] [debug][plugins][plugins][securitySolution][securitySolution] filteredEvents.hits.hits: 67 name: "Rule w exceptions" id: "239c70da-8640-4964-b7ba-a45cf1528563" rule
@dhurley14
dhurley14 / timing.md
Created Jun 24, 2020
timing results between master and rbac pr
View timing.md

On master (e2ab94060a6156ebe7170469fbfd22ec8addd87d)

1.2 seconds upper bound for rules table on the UI to load without any rules The below is just the API

$ time ./get_prepackaged_rules_status.sh 
{
  "rules_custom_installed": 0,
  "rules_installed": 0,
  "rules_not_installed": 145,
@dhurley14
dhurley14 / aad
Created Jun 3, 2020
aad failure when adding / removing key in meta field.
View aad
server log [16:05:30.489] [error][plugins][plugins][siem][siem] [-] nextSearchAfter threw an error [security_exception] missing authentication credentials for REST request [/apm-*-transaction*%2Cauditbeat-*%2Cendgame-*%2Cfilebeat-*%2Cpacketbeat-*%2Cwinlogbeat-*/_search?allow_no_indices=true&size=100&ignore_unavailable=true], with { header={ WWW-Authenticate={ 0="Bearer realm=\"security\"" & 1="ApiKey" & 2="Basic realm=\"security\" charset=\"UTF-8\"" } } } :: {"path":"/apm-*-transaction*%2Cauditbeat-*%2Cendgame-*%2Cfilebeat-*%2Cpacketbeat-*%2Cwinlogbeat-*/_search","query":{"allow_no_indices":true,"size":100,"ignore_unavailable":true},"body":"{\"query\":{\"bool\":{\"filter\":[{\"bool\":{\"must\":[],\"filter\":[{\"bool\":{\"should\":[{\"exists\":{\"field\":\"host.name\"}}],\"minimum_should_match\":1}}],\"should\":[],\"must_not\":[]}},{\"bool\":{\"filter\":[{\"bool\":{\"should\":[{\"range\":{\"@timestamp\":{\"gte\":\"now-6m\"}}}],\"minimum_should_match\":1}},{\"bool\":{\"should\":[{\"range\":{\"@timestamp\":
@dhurley14
dhurley14 / signals_mappings_difference.csv
Created Oct 1, 2019
difference between csv and frank's json
View signals_mappings_difference.csv
agent.type
as.number
as.organization.name
client.as.number
client.as.organization.name
client.nat.ip
client.nat.port
client.user.domain
cloud.machine.type
destination.as.number
@dhurley14
dhurley14 / bitbucket-pipelines.yml
Created Dec 28, 2017 — forked from adilsoncarvalho/bitbucket-pipelines.yml
Bitbucket Pipelines deployment to a Google Container Engine configuration
View bitbucket-pipelines.yml
---
options:
docker: true
pipelines:
branches:
master:
- step:
script:
# Installing gcloud
View malicious_nodes
pi@raspberrypi:/var/log/maltrail $ tail 2016-05-18.log 2016-05-19.log 2016-05-20.log 2016-05-21.log 2016-05-22.log 2016-05-23.log 2016-05-24.log 2016-05-25.log
==> 2016-05-18.log <==
"2016-05-18 23:47:51.125602" raspberrypi 192.168.1.5 35579 128.208.2.233 9001 TCP IP 128.208.2.233 "tor exit node (suspicious)" blutmagie.de
"2016-05-18 23:49:59.424015" raspberrypi 192.168.1.5 - 136.161.101.53 - ICMP IP 136.161.101.53 "sinkhole conficker (malware)" (static)
==> 2016-05-19.log <==
"2016-05-19 10:26:19.485956" raspberrypi 192.168.1.5 39074 178.63.9.165 443 TCP IP 178.63.9.165 "tor exit node (suspicious)" blutmagie.de
"2016-05-19 11:59:51.032876" raspberrypi 192.168.1.5 39075 178.63.9.165 443 TCP IP 178.63.9.165 "tor exit node (suspicious)" blutmagie.de
"2016-05-19 13:25:15.583751" raspberrypi 192.168.1.5 39076 178.63.9.165 443 TCP IP 178.63.9.165 "tor exit node (suspicious)" blutmagie.de
"2016-05-19 15:10:59.114896" raspberrypi 192.168.1.5 39077 178.63.9.165 443 TCP IP 178.63.9.165 "tor exit node (suspicious)" bl
@dhurley14
dhurley14 / openvpn_client_log
Created Mar 29, 2016
openvpn client log trying to connect to vpn through tor
View openvpn_client_log
2016-03-28 22:19:58 SIGUSR1[soft,init_instance] received, process restarting
2016-03-28 22:19:58 MANAGEMENT: >STATE:1459217998,RECONNECTING,init_instance,,
2016-03-28 22:20:00 *Tunnelblick: No 'reconnecting.sh' script to execute
2016-03-28 22:20:00 MANAGEMENT: CMD 'hold release'
2016-03-28 22:20:00 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2016-03-28 22:20:00 Socket Buffers: R=[131072->65536] S=[131072->65536]
2016-03-28 22:20:00 Attempting to establish TCP connection with [AF_INET]XXX.XXX.XXX.XXX:9040 [nonblock]
2016-03-28 22:20:00 MANAGEMENT: >STATE:1459218000,TCP_CONNECT,,,
2016-03-28 22:20:00 TCP: connect to [AF_INET]XXX.XXX.XXX.XXX:9040 failed, will try again in 5 seconds: Can't assign requested address
2016-03-28 22:20:00 SIGUSR1[soft,init_instance] received, process restarting
@dhurley14
dhurley14 / before.rules
Created Mar 23, 2016
uncomplicated firewall (ufw) before.rules
View before.rules
#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
# ufw-before-input
# ufw-before-output
# ufw-before-forward
#
@dhurley14
dhurley14 / onion_pi_torrc
Created Mar 22, 2016
onion pi torrc file
View onion_pi_torrc
## Configuration file for a typical Tor user
## Last updated 9 October 2013 for Tor 0.2.5.2-alpha.
## (may or may not work for much older or much newer versions of Tor.)
##
## Lines that begin with "## " try to explain what's going on. Lines
## that begin with just "#" are disabled commands: you can enable them
## by removing the "#" symbol.
##
## See 'man tor', or https://www.torproject.org/docs/tor-manual.html,
## for more options you can use in this file.
You can’t perform that action at this time.