Skip to content

Instantly share code, notes, and snippets.

@ethack

ethack/1 readme.md

Last active September 7, 2023 19:36
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ethack/6bd3a9551c02bbf8b404af0d2023114d to your computer and use it in GitHub Desktop.
Save ethack/6bd3a9551c02bbf8b404af0d2023114d to your computer and use it in GitHub Desktop.
Download ZIP
Threat Hunting Tools
Raw
1 readme.md

How to install various tools useful for threat hunting.

Raw
grep.md

Ripgrep

Generic Linux

  1. Find the latest release here
  2. Pick the "x86_64-unknown-linux-musl" version. example
  3. Extract and move rg into the path.

CentOS

  1. Find the latest release here.
  2. Download the RPM wget https://copr-be.cloud.fedoraproject.org/results/carlwgeorge/ripgrep/epel-7-x86_64/01858399-ripgrep/ripgrep-12.1.1-1.el7.x86_64.rpm (If no internet then download this on a different machine and use scp or similar to copy it over.)
  3. sudo yum install ripgrep-*.rpm

Debian

sudo apt install ripgrep

If you're a Debian user (or a user of a Debian derivative like Ubuntu), then ripgrep can be installed using a binary .deb file provided in each ripgrep release.

curl -LO https://github.com/BurntSushi/ripgrep/releases/download/12.1.1/ripgrep_12.1.1_amd64.deb
sudo dpkg -i ripgrep_12.1.1_amd64.deb

Ugrep

Download the Dockerfile for building from ugrep's repo.

Statically compiling and linking

# one of these is likely uncessary
CFLAGS='-static -static-libstdc++ -static-libgcc'
CXXFLAGS='-static -static-libstdc++ -static-libgcc'
./configure --enable-pretty
make -j

ldd bin/ugrep
# should output: not a dynamic executable

file bin/ugrep
# should output: statically linked

# cuts the size down a bit
strip bin/ugrep

Note: This doesn't work and segfaults. Likely it doesn't include all libraries.

Raw
trace-summary.md

https://github.com/zeek/trace-summary

# See below for offline pysubnettree install
python -m pip install pysubnettree
wget -qO /usr/local/bin/trace-summary https://raw.githubusercontent.com/zeek/trace-summary/master/trace-summary
chmod +x /usr/local/bin/trace-summary

Building Pysubnettree

https://packaging.python.org/guides/distributing-packages-using-setuptools/#platform-wheels

docker run -v `pwd`:/host --rm -it python:3.6 bash
cd /host
git clone https://github.com/zeek/pysubnettree
cd pysubnettree
python setup.py bdist_wheel
# wheel is in dist/pysubnettree-0.35-cp36-cp36m-linux_x86_64.whl

Then on the target system:

python3 -m pip install pysubnettree-0.35-cp36-cp36m-linux_x86_64.whl

Note this must require some runtime dependencies. Currently gives this error on CentOS 7 (Security Onion 2)

ImportError: /lib64/libstdc++.so.6: version `CXXABI_1.3.9' not found (required by /usr/local/lib64/python3.6/site-packages/_SubnetTree.cpython-36m-x86_64-linux-gnu.so)
Raw
zeek-cut.md

https://github.com/zeek/zeek-aux/

Package

Debian

apt install -y bro-aux || apt install -y zeek-aux

Alpine

apk add -t .build-deps gcc libc-dev
wget -qO /tmp/zeek-cut.c https://raw.githubusercontent.com/zeek/zeek-aux/master/zeek-cut/zeek-cut.c
gcc --static -o /usr/local/bin/zeek-cut /tmp/zeek-cut.c
apk del .build-deps

CentOS

yum install -y gcc glibc-devel wget
wget -qO /tmp/zeek-cut.c https://raw.githubusercontent.com/zeek/zeek-aux/master/zeek-cut/zeek-cut.c
# couldn't get this to work with static compilation on CentOS
gcc -o /usr/local/bin/zeek-cut /tmp/zeek-cut.c
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment