Skip to content

Instantly share code, notes, and snippets.

@grigorescu
grigorescu / steps.md
Created January 5, 2022 21:39
Running DPDK Zeek as a non-privileged user

We're tripling down on acronyms, by using the VFIO driver, with IOMMU and SR-IOV.

Boot parameters

intel_iommu=on iommu=pt default_hugepagesz=1G hugepagesz=1G hugepages=16

Enable hugepages

echo 4096 | sudo tee /sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages
mkdir -p /tmp/mnt/huge
mount -t hugetlbfs nodev /tmp/mnt/huge
@grigorescu
grigorescu / steps.md
Last active January 5, 2022 19:10
AWS DPDK Testing

Deploy EC2 Instance

  1. AMI: Ubuntu Server 20.04 LTS (HVM), SSD Volume Type - ami-04505e74c0741db8d (64-bit x86)
  2. Instance Type: c5n.large
  3. Network interfaces: Add a second interface for eth1.
  4. Increase storage to 16 GB
  5. Associate an Elastic IP with the primary network interface.

Install Zeek

Following the instructions here: https://software.opensuse.org//download.html?project=security%3Azeek&package=zeek

echo 'deb http://download.opensuse.org/repositories/security:/zeek/xUbuntu_20.04/ /' | sudo tee /etc/apt/sources.list.d/security:zeek.list
@grigorescu
grigorescu / http-more-files-names.zeek
Last active September 10, 2020 21:36 — forked from sethhall/http-more-files-names.bro
Get some extra file names from http
@load base/protocols/http/entities
module HTTP;
redef record HTTP::Info += {
potential_fname: string &optional;
};
event http_request(c: connection, method: string, original_URI: string,
unescaped_URI: string, version: string) &priority=5
# Test 1
########
# Fails: warning: Value '{}' for stream 'configuration' is not a valid enum.
# internal error: null value given to CompositeHash::ComputeHash
# @TEST-EXEC: btest-bg-run zeek zeek %INPUT
# @TEST-EXEC: btest-bg-wait 10
@TEST-START-FILE configfile1
DPD::ignore_violations {}
@TEST-END-FILE
# Test 1
########
# Fails: Incompatible type for set of ID 'DPD::ignore_violations': got 'table', need 'table' (Option::set(Config::ID, Config::val, Config::location))
# @TEST-EXEC: zeek -b %INPUT
@load base/frameworks/config
@load base/frameworks/dpd
event zeek_init()
@grigorescu
grigorescu / bro_find_all_events.sh
Created March 5, 2018 15:35
This is a one-liner to find all events defined in Bro
for i in $(git grep -l event); do cat $i | perl -e '$input=join("", <>); for ($input=~/^\s*(event [^(]+\([^)]*?\))/mg) { s/\n\s*/ /g; s/%//g; print "$_ { }\n"; }' ; done
module Exposed;
export {
redef enum Notice::Type += {
Service
};
const exposed_services: table[port] of string ={} &redef;
}
redef exposed_services+= [[11211/tcp] = "memcached"];
@load base/frameworks/sumstats
@load base/protocols/smtp
module SMTP;
export {
redef enum Notice::Type += {
## Generated if a user is sending mail to too many recipients
ExcessiveRecipients
};
##! A detection script for UDP DoS Flows
@load base/protocols/conn
module UDPDoS;
export {
redef enum Notice::Type += {
Detected,
#!/usr/bin/python
import argparse, sys
def hexdump(text, space=False):
result = ""
for t in text:
s = str(hex(ord(t))).replace('0x', '')
if len(s) == 1:
s = '0' + s