Instantly share code, notes, and snippets.

View gist:c11fd13073d9c9a18ae5958626928203
# Add the offline rules file as a source:
sudo suricata-update add-source "Local Rules" "file:///srv/rocknsm/support/emerging.rules-suricata.tar.gz"
# Check that we're not going to go screaming at the internet for an update
sudo suricata-update list-enabled-sources
# You should see this:
# Enabled sources:
# - Local Rules
import requests
url = "http://localhost:5000/"
fin = open('simple_table.pdf', 'rb')
files = {'file': fin}
r =, files=files)
print r.text
from pyftpdlib.authorizers import DummyAuthorizer
from pyftpdlib.handlers import FTPHandler
from pyftpdlib.servers import FTPServer
authorizer = DummyAuthorizer()
authorizer.add_user("user", "12345", "/tmp", perm="elradfmw")
handler = FTPHandler
handler.authorizer = authorizer
server = FTPServer(("", 21), handler)

Grab the main page with all the links:
curl > emoji

Open file in vim and run the following commands:

## Build RPM as per
# Do this elsewhere, you don't want dev tools on a box you're trying to secure.  ;) 
# Also note, the repo has moved, so you need to adjust the git path:

sudo yum install epel-release -y
sudo yum install qrencode qrencode-devel qrencode-libs
sudo yum install google-authenticator-1.03-1.el7.centos.x86_64.rpm
google-authenticator  #per-user setup
View 00-README.adoc


This is a CentOS-themed /etc/issue w/ hooks to update IP address and OS release upon ifup/ifdown. My motivation was that I was tired of logging into an otherwise headless box just to find the IP of the system so I can SSH to it.

The file actually contains control characters to do the color in the text. The easiest way to preserve that is to clone this gist and run the script w/ sudo, which will copy the file and set the SELinux

Keybase proof

I hereby claim:

  • I am jeffgeiger on github.
  • I am jeffgeiger ( on keybase.
  • I have a public key whose fingerprint is 3EE0 89DC 9EA2 CB58 703C 658F 67F2 38AC C74F 83F8

To claim this, I am signing this object:

#Clean out old marvel indexes, only keeping the current index.
for i in $(curl -sSL http://localhost:9200/_stats/indexes\?pretty\=1 | grep marvel | grep -Ev 'es-data|kibana' | grep -vF "$(date +%m.%d)" | awk '{print $1}' | sed 's/\"//g' 2>/dev/null); do
curl -sSL -XDELETE$i > /dev/null 2>&1
#Delete Logstash indexes from 60 days ago.
curl -sSL -XDELETE "$(date -d '60 days ago' +%Y.%m.%d)" 2>&1
CURRENTIP=$(curl 2>/dev/nulll)
if [[ $CURRENTIP != $(cat /tmp/ipdata) ]]; then
echo "CHANGE: $CURRENTIP - $(date) FROM: $(cat /tmp/ipdata)"
/usr/sbin/ez-ipupdate -c /etc/ez-ipupdate/default.conf -a $CURRENTIP
echo $CURRENTIP > /tmp/ipdata
curl -Lk -XPOST -d "apikey=xxxxxxxxxxxxxxxxxx&priority=-2&application=Labs&event=IP%20Change&description=New%20IP%3A%20${CURRENTIP}"
curl -A "DDUpdater - Dynamic DNS Updater - 0.0.1" -u ''
echo "ALL GOOD - $(date) - $CURRENTIP"


These changes should keep snort and bro working together in ROCK. I've tested it on 3 production instances and it's held up for almost 2 weeks.

Create the dir for old snort logs
mkdir /data/snort/OLD

Add the (content below)
vim /usr/local/bin/ # Insert content
chmod +x /usr/local/bin/