Devin W. Hurley dhurley14

## torrc
## Configuration file for a typical Tor user
## Last updated 2 September 2014 for Tor 0.2.6.1-alpha.
## (may or may not work for much older or much newer versions of Tor.)
##
## Lines that begin with "## " try to explain what's going on. Lines
## that begin with just "#" are disabled commands: you can enable them
## by removing the "#" symbol.
##
## See 'man tor', or https://www.torproject.org/docs/tor-manual.html,
## for more options you can use in this file.

## gist:a0e24e092cbc5c25dfaa
##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server.     #
#                                            #
# This configuration can be used by multiple #
# clients, however each client should have   #
# its own cert and key files.                #
#                                            #
# On Windows, you might want to rename this  #
# file so it has a .ovpn extension           #

## server.conf
#################################################
# Sample OpenVPN 2.0 config file for            #
# multi-client server.                          #
#                                               #
# This file is for the server side              #
# of a many-clients <-> one-server              #
# OpenVPN configuration.                        #
#                                               #
# OpenVPN also supports                         #
# single-machine <-> single-machine             #

## onion_pi_torrc
## Configuration file for a typical Tor user
## Last updated 9 October 2013 for Tor 0.2.5.2-alpha.
## (may or may not work for much older or much newer versions of Tor.)
##
## Lines that begin with "## " try to explain what's going on. Lines
## that begin with just "#" are disabled commands: you can enable them
## by removing the "#" symbol.
##
## See 'man tor', or https://www.torproject.org/docs/tor-manual.html,
## for more options you can use in this file.

## before.rules
#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
#   ufw-before-input
#   ufw-before-output
#   ufw-before-forward
#

## openvpn_client_log
2016-03-28 22:19:58 SIGUSR1[soft,init_instance] received, process restarting
2016-03-28 22:19:58 MANAGEMENT: >STATE:1459217998,RECONNECTING,init_instance,,
2016-03-28 22:20:00 *Tunnelblick: No 'reconnecting.sh' script to execute
2016-03-28 22:20:00 MANAGEMENT: CMD 'hold release'
2016-03-28 22:20:00 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2016-03-28 22:20:00 Socket Buffers: R=[131072->65536] S=[131072->65536]
2016-03-28 22:20:00 Attempting to establish TCP connection with [AF_INET]XXX.XXX.XXX.XXX:9040 [nonblock]
2016-03-28 22:20:00 MANAGEMENT: >STATE:1459218000,TCP_CONNECT,,,
2016-03-28 22:20:00 TCP: connect to [AF_INET]XXX.XXX.XXX.XXX:9040 failed, will try again in 5 seconds: Can't assign requested address
2016-03-28 22:20:00 SIGUSR1[soft,init_instance] received, process restarting

## malicious_nodes
pi@raspberrypi:/var/log/maltrail $ tail 2016-05-18.log 2016-05-19.log 2016-05-20.log 2016-05-21.log 2016-05-22.log 2016-05-23.log 2016-05-24.log 2016-05-25.log
==> 2016-05-18.log <==
"2016-05-18 23:47:51.125602" raspberrypi 192.168.1.5 35579 128.208.2.233 9001 TCP IP 128.208.2.233 "tor exit node (suspicious)" blutmagie.de
"2016-05-18 23:49:59.424015" raspberrypi 192.168.1.5 - 136.161.101.53 - ICMP IP 136.161.101.53 "sinkhole conficker (malware)" (static)

==> 2016-05-19.log <==
"2016-05-19 10:26:19.485956" raspberrypi 192.168.1.5 39074 178.63.9.165 443 TCP IP 178.63.9.165 "tor exit node (suspicious)" blutmagie.de
"2016-05-19 11:59:51.032876" raspberrypi 192.168.1.5 39075 178.63.9.165 443 TCP IP 178.63.9.165 "tor exit node (suspicious)" blutmagie.de
"2016-05-19 13:25:15.583751" raspberrypi 192.168.1.5 39076 178.63.9.165 443 TCP IP 178.63.9.165 "tor exit node (suspicious)" blutmagie.de
"2016-05-19 15:10:59.114896" raspberrypi 192.168.1.5 39077 178.63.9.165 443 TCP IP 178.63.9.165 "tor exit node (suspicious)" bl

## bitbucket-pipelines.yml
---
options:
  docker: true

pipelines:
  branches:
    master:
    - step:
        script:
        # Installing gcloud

## signals_mappings_difference.csv

          
            agent.type

            
              as.number

            
              as.organization.name

            
              client.as.number

            
              client.as.organization.name

            
              client.nat.ip

            
              client.nat.port

            
              client.user.domain

            
              cloud.machine.type

            
              destination.as.number

## aad
server    log   [16:05:30.489] [error][plugins][plugins][siem][siem] [-] nextSearchAfter threw an error [security_exception] missing authentication credentials for REST request [/apm-*-transaction*%2Cauditbeat-*%2Cendgame-*%2Cfilebeat-*%2Cpacketbeat-*%2Cwinlogbeat-*/_search?allow_no_indices=true&size=100&ignore_unavailable=true], with { header={ WWW-Authenticate={ 0="Bearer realm=\"security\"" & 1="ApiKey" & 2="Basic realm=\"security\" charset=\"UTF-8\"" } } } :: {"path":"/apm-*-transaction*%2Cauditbeat-*%2Cendgame-*%2Cfilebeat-*%2Cpacketbeat-*%2Cwinlogbeat-*/_search","query":{"allow_no_indices":true,"size":100,"ignore_unavailable":true},"body":"{\"query\":{\"bool\":{\"filter\":[{\"bool\":{\"must\":[],\"filter\":[{\"bool\":{\"should\":[{\"exists\":{\"field\":\"host.name\"}}],\"minimum_should_match\":1}}],\"should\":[],\"must_not\":[]}},{\"bool\":{\"filter\":[{\"bool\":{\"should\":[{\"range\":{\"@timestamp\":{\"gte\":\"now-6m\"}}}],\"minimum_should_match\":1}},{\"bool\":{\"should\":[{\"range\":{\"@timestamp\":
	## Configuration file for a typical Tor user
	## Last updated 2 September 2014 for Tor 0.2.6.1-alpha.
	## (may or may not work for much older or much newer versions of Tor.)
	##
	## Lines that begin with "## " try to explain what's going on. Lines
	## that begin with just "#" are disabled commands: you can enable them
	## by removing the "#" symbol.
	##
	## See 'man tor', or https://www.torproject.org/docs/tor-manual.html,
	## for more options you can use in this file.
	##############################################
	# Sample client-side OpenVPN 2.0 config file #
	# for connecting to multi-client server. #
	# #
	# This configuration can be used by multiple #
	# clients, however each client should have #
	# its own cert and key files. #
	# #
	# On Windows, you might want to rename this #
	# file so it has a .ovpn extension #
	#################################################
	# Sample OpenVPN 2.0 config file for #
	# multi-client server. #
	# #
	# This file is for the server side #
	# of a many-clients <-> one-server #
	# OpenVPN configuration. #
	# #
	# OpenVPN also supports #
	# single-machine <-> single-machine #
	## Configuration file for a typical Tor user
	## Last updated 9 October 2013 for Tor 0.2.5.2-alpha.
	## (may or may not work for much older or much newer versions of Tor.)
	##
	## Lines that begin with "## " try to explain what's going on. Lines
	## that begin with just "#" are disabled commands: you can enable them
	## by removing the "#" symbol.
	##
	## See 'man tor', or https://www.torproject.org/docs/tor-manual.html,
	## for more options you can use in this file.
	#
	# rules.before
	#
	# Rules that should be run before the ufw command line added rules. Custom
	# rules should be added to one of these chains:
	# ufw-before-input
	# ufw-before-output
	# ufw-before-forward
	#
	2016-03-28 22:19:58 SIGUSR1[soft,init_instance] received, process restarting
	2016-03-28 22:19:58 MANAGEMENT: >STATE:1459217998,RECONNECTING,init_instance,,
	2016-03-28 22:20:00 *Tunnelblick: No 'reconnecting.sh' script to execute
	2016-03-28 22:20:00 MANAGEMENT: CMD 'hold release'
	2016-03-28 22:20:00 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
	2016-03-28 22:20:00 Socket Buffers: R=[131072->65536] S=[131072->65536]
	2016-03-28 22:20:00 Attempting to establish TCP connection with [AF_INET]XXX.XXX.XXX.XXX:9040 [nonblock]
	2016-03-28 22:20:00 MANAGEMENT: >STATE:1459218000,TCP_CONNECT,,,
	2016-03-28 22:20:00 TCP: connect to [AF_INET]XXX.XXX.XXX.XXX:9040 failed, will try again in 5 seconds: Can't assign requested address
	2016-03-28 22:20:00 SIGUSR1[soft,init_instance] received, process restarting
	pi@raspberrypi:/var/log/maltrail $ tail 2016-05-18.log 2016-05-19.log 2016-05-20.log 2016-05-21.log 2016-05-22.log 2016-05-23.log 2016-05-24.log 2016-05-25.log
	==> 2016-05-18.log <==
	"2016-05-18 23:47:51.125602" raspberrypi 192.168.1.5 35579 128.208.2.233 9001 TCP IP 128.208.2.233 "tor exit node (suspicious)" blutmagie.de
	"2016-05-18 23:49:59.424015" raspberrypi 192.168.1.5 - 136.161.101.53 - ICMP IP 136.161.101.53 "sinkhole conficker (malware)" (static)

	==> 2016-05-19.log <==
	"2016-05-19 10:26:19.485956" raspberrypi 192.168.1.5 39074 178.63.9.165 443 TCP IP 178.63.9.165 "tor exit node (suspicious)" blutmagie.de
	"2016-05-19 11:59:51.032876" raspberrypi 192.168.1.5 39075 178.63.9.165 443 TCP IP 178.63.9.165 "tor exit node (suspicious)" blutmagie.de
	"2016-05-19 13:25:15.583751" raspberrypi 192.168.1.5 39076 178.63.9.165 443 TCP IP 178.63.9.165 "tor exit node (suspicious)" blutmagie.de
	"2016-05-19 15:10:59.114896" raspberrypi 192.168.1.5 39077 178.63.9.165 443 TCP IP 178.63.9.165 "tor exit node (suspicious)" bl
	---
	options:
	docker: true

	pipelines:
	branches:
	master:
	- step:
	script:
	# Installing gcloud
	agent.type
	as.number
	as.organization.name
	client.as.number
	client.as.organization.name
	client.nat.ip
	client.nat.port
	client.user.domain
	cloud.machine.type
	destination.as.number