Skip to content

Instantly share code, notes, and snippets.

View dhurley14's full-sized avatar

Devin W. Hurley dhurley14

9 followers · 9 following
View GitHub Profile
@dhurley14
dhurley14 / gist:a0e24e092cbc5c25dfaa
Created March 22, 2016 22:32
client openvpn config file contents
##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
@dhurley14
dhurley14 / es_errors
Created December 16, 2020 22:54
es errors alias start-es-snapshot='cd ~/kibana && nvm use && yarn es snapshot --license trial -E xpack.security.authc.api_key.enabled=true -E path.data=../es-data'
at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:128) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
│ at org.elasticsearch.xpack.security.authz.store.CompositeRolesStore.getRoles(CompositeRolesStore.java:275) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
│ at org.elasticsearch.xpack.security.authz.RBACEngine.getRoles(RBACEngine.java:132) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
│ at org.elasticsearch.xpack.security.authz.RBACEngine.resolveAuthorizationInfo(RBACEngine.java:120) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
│ at org.elasticsearch.xpack.security.authz.AuthorizationService.authorize(AuthorizationService.java:229) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
│ at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.authorizeRequest(SecurityActionFilter.java:173) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
│ at org.elasticsearch.xpa
@dhurley14
dhurley14 / lists-and-exceptions.log
Created July 14, 2020 05:19
nothing
server log [01:11:26.989] [debug][plugins][plugins][securitySolution][securitySolution] totalHits: 4737 name: "Rule w exceptions" id: "239c70da-8640-4964-b7ba-a45cf1528563" rule id: "query-with-exceptions" signals index: ".siem-signals-devin-hurley-default"
server log [01:11:26.989] [debug][plugins][plugins][securitySolution][securitySolution] searchResult.hit.hits.length: 100 name: "Rule w exceptions" id: "239c70da-8640-4964-b7ba-a45cf1528563" rule id: "query-with-exceptions" signals index: ".siem-signals-devin-hurley-default"
server log [01:11:26.990] [debug][plugins][plugins][securitySolution][securitySolution] valuesOfGivenType: [
"71.211.48.72",
"47.34.56.166",
"172.100.214.142",
"67.173.227.94",
"89.12.89.72",
"35.226.77.71",
"35.199.90.14",
@dhurley14
dhurley14 / word.log
Created July 14, 2020 02:38
nothing
server log [22:34:34.179] [debug][plugins][plugins][securitySolution][securitySolution] Lists filtered out 33 events name: "Rule w exceptions" id: "239c70da-8640-4964-b7ba-a45cf1528563" rule id: "query-with-exceptions" signals index: ".siem-signals-devin-hurley-default"
server log [22:34:34.661] [debug][plugins][plugins][securitySolution][securitySolution] individual bulk process time took: 474.62 milliseconds
server log [22:34:34.661] [debug][plugins][plugins][securitySolution][securitySolution] took property says bulk took: 45 milliseconds
server log [22:34:34.661] [debug][plugins][plugins][securitySolution][securitySolution] created 67 signals name: "Rule w exceptions" id: "239c70da-8640-4964-b7ba-a45cf1528563" rule id: "query-with-exceptions" signals index: ".siem-signals-devin-hurley-default"
server log [22:34:34.662] [debug][plugins][plugins][securitySolution][securitySolution] filteredEvents.hits.hits: 67 name: "Rule w exceptions" id: "239c70da-8640-4964-b7ba-a45cf1528563" rule
@dhurley14
dhurley14 / timing.md
Created June 24, 2020 02:55
timing results between master and rbac pr

On master (e2ab94060a6156ebe7170469fbfd22ec8addd87d)

1.2 seconds upper bound for rules table on the UI to load without any rules The below is just the API

$ time ./get_prepackaged_rules_status.sh 
{
  "rules_custom_installed": 0,
  "rules_installed": 0,
 "rules_not_installed": 145,
@dhurley14
dhurley14 / aad
Created June 3, 2020 21:12
aad failure when adding / removing key in meta field.
server log [16:05:30.489] [error][plugins][plugins][siem][siem] [-] nextSearchAfter threw an error [security_exception] missing authentication credentials for REST request [/apm-*-transaction*%2Cauditbeat-*%2Cendgame-*%2Cfilebeat-*%2Cpacketbeat-*%2Cwinlogbeat-*/_search?allow_no_indices=true&size=100&ignore_unavailable=true], with { header={ WWW-Authenticate={ 0="Bearer realm=\"security\"" & 1="ApiKey" & 2="Basic realm=\"security\" charset=\"UTF-8\"" } } } :: {"path":"/apm-*-transaction*%2Cauditbeat-*%2Cendgame-*%2Cfilebeat-*%2Cpacketbeat-*%2Cwinlogbeat-*/_search","query":{"allow_no_indices":true,"size":100,"ignore_unavailable":true},"body":"{\"query\":{\"bool\":{\"filter\":[{\"bool\":{\"must\":[],\"filter\":[{\"bool\":{\"should\":[{\"exists\":{\"field\":\"host.name\"}}],\"minimum_should_match\":1}}],\"should\":[],\"must_not\":[]}},{\"bool\":{\"filter\":[{\"bool\":{\"should\":[{\"range\":{\"@timestamp\":{\"gte\":\"now-6m\"}}}],\"minimum_should_match\":1}},{\"bool\":{\"should\":[{\"range\":{\"@timestamp\":
@dhurley14
dhurley14 / signals_mappings_difference.csv
Created October 1, 2019 15:00
difference between csv and frank's json
agent.type
as.number
as.organization.name
client.as.number
client.as.organization.name
client.nat.ip
client.nat.port
client.user.domain
cloud.machine.type
destination.as.number
@dhurley14
dhurley14 / bitbucket-pipelines.yml
Created December 28, 2017 17:40 — forked from adilsoncarvalho/bitbucket-pipelines.yml
Bitbucket Pipelines deployment to a Google Container Engine configuration
---
options:
docker: true
pipelines:
branches:
master:
- step:
script:
# Installing gcloud
@dhurley14
dhurley14 / malicious_nodes
Created May 25, 2016 03:08
pi@raspberrypi:/var/log/maltrail $ tail 2016-05-18.log 2016-05-19.log 2016-05-20.log 2016-05-21.log 2016-05-22.log 2016-05-23.log 2016-05-24.log 2016-05-25.log
==> 2016-05-18.log <==
"2016-05-18 23:47:51.125602" raspberrypi 192.168.1.5 35579 128.208.2.233 9001 TCP IP 128.208.2.233 "tor exit node (suspicious)" blutmagie.de
"2016-05-18 23:49:59.424015" raspberrypi 192.168.1.5 - 136.161.101.53 - ICMP IP 136.161.101.53 "sinkhole conficker (malware)" (static)
==> 2016-05-19.log <==
"2016-05-19 10:26:19.485956" raspberrypi 192.168.1.5 39074 178.63.9.165 443 TCP IP 178.63.9.165 "tor exit node (suspicious)" blutmagie.de
"2016-05-19 11:59:51.032876" raspberrypi 192.168.1.5 39075 178.63.9.165 443 TCP IP 178.63.9.165 "tor exit node (suspicious)" blutmagie.de
"2016-05-19 13:25:15.583751" raspberrypi 192.168.1.5 39076 178.63.9.165 443 TCP IP 178.63.9.165 "tor exit node (suspicious)" blutmagie.de
"2016-05-19 15:10:59.114896" raspberrypi 192.168.1.5 39077 178.63.9.165 443 TCP IP 178.63.9.165 "tor exit node (suspicious)" bl
@dhurley14
dhurley14 / openvpn_client_log
Created March 29, 2016 02:24
openvpn client log trying to connect to vpn through tor
2016-03-28 22:19:58 SIGUSR1[soft,init_instance] received, process restarting
2016-03-28 22:19:58 MANAGEMENT: >STATE:1459217998,RECONNECTING,init_instance,,
2016-03-28 22:20:00 *Tunnelblick: No 'reconnecting.sh' script to execute
2016-03-28 22:20:00 MANAGEMENT: CMD 'hold release'
2016-03-28 22:20:00 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2016-03-28 22:20:00 Socket Buffers: R=[131072->65536] S=[131072->65536]
2016-03-28 22:20:00 Attempting to establish TCP connection with [AF_INET]XXX.XXX.XXX.XXX:9040 [nonblock]
2016-03-28 22:20:00 MANAGEMENT: >STATE:1459218000,TCP_CONNECT,,,
2016-03-28 22:20:00 TCP: connect to [AF_INET]XXX.XXX.XXX.XXX:9040 failed, will try again in 5 seconds: Can't assign requested address
2016-03-28 22:20:00 SIGUSR1[soft,init_instance] received, process restarting