Skip to content

Instantly share code, notes, and snippets.

@jbradley89
jbradley89 / tty_tracker_with_filters.stp
Last active February 20, 2017 05:02
A PoC tty tracker that allows filtering out known good processes
#! /usr/bin/env stap
global allowed_ttys; //holds a list of processes allowed to generate ttys
probe begin
{
println("Tracking spawned TTYs...");
allowed_ttys["sshd"] <<<1;
allowed_ttys["gnome-pty-helpe"] <<<1;
}
probe begin
{
println("Tracking spawned TTYs...");
}
probe tty.init
{
printf("%15s %5d %15s %5d \n", ctime(gettimeofday_s()), uid(), execname(), pid());
}
#!/bin/bash
for i in {1..10}; do ping -c1 google.com; sleep 4; done
@jbradley89
jbradley89 / beaconator.stp
Created February 8, 2017 23:51
A system tap script to detect UDP beacons
#! /usr/bin/env stap
/*
/\ \ /\ \__
\ \ \____ __ __ ___ ___ ___ __ \ \ ,_\ ___ _ __
\ \ '__`\ /'__`\ /'__`\ /'___\ / __`\ /' _ `\ /'__`\ \ \ \/ / __`\/\`'__\
\ \ \L\ \/\ __//\ \L\.\_/\ \__//\ \L\ \/\ \/\ \/\ \L\.\_\ \ \_/\ \L\ \ \ \/
\ \_,__/\ \____\ \__/.\_\ \____\ \____/\ \_\ \_\ \__/.\_\\ \__\ \____/\ \_\
\/___/ \/____/\/__/\/_/\/____/\/___/ \/_/\/_/\/__/\/_/ \/__/\/___/ \/_/
*/
@jbradley89
jbradley89 / udp_trace.stp
Last active February 7, 2017 04:20
Short System Tap script to watch processes making UDP calls
#! /usr/bin/env stap
probe udp.sendmsg{
printf("%15s %15s %15s %5d %5d %15s UDP\n", ctime(gettimeofday_s()), saddr, daddr, sport, dport, execname())
}