Jeff Geiger jeffgeiger

## grokproduce.sh
#!/bin/bash

TSTAMP=$(date +%s)
CONF="/tmp/logstash-$TSTAMP.conf"
PATTERNS="/tmp/bro_patterns_$TSTAMP"

for j in *.log; do
  LOG=$(echo $j | sed 's/.log//g')
  FILTNAME=$(echo $LOG | tr '[:lower:]' '[:upper:]')
  echo -e "BRO$FILTNAME \c" >> $PATTERNS

## update_bro_intel.sh
#!/bin/bash

INTELFILE=$1
DOC=$(curl -# http://elasticinsight-test/ElasticAPI/BroIntelFrameworkIndicatorList 2> /dev/null)
RECS=$(echo $DOC | jq '. | length')
j=0

HEADER=$(grep -E "^#" $INTELFILE)

echo "$HEADER" > $INTELFILE

## custom.sh
alias bro-column="sed \"s/fields.//;s/types.//\" | column -s $'\t' -t"
alias bro-awk='awk -F" "'
bro-grep() { grep -E "(^#)|$1" $2; }
bro-zgrep() { zgrep -E "(^#)|$1" $2; }
topcount() { sort | uniq -c | sort -rn | head -n ${1:-10}; }
colorize() { sed 's/#fields\t\|#types\t/#/g' | awk 'BEGIN {FS="\t"};{for(i=1;i<=NF;i++) printf("\x1b[%sm %s \x1b[0m",(i%7)+31,$i);print ""}'; }
cm() { cat $1 | sed 's/#fields\t\|#types\t/#/g' | awk 'BEGIN {FS="\t"};{for(i=1;i<=NF;i++) printf("\x1b[%sm %s \x1b[0m",(i%7)+31,$i);print ""}'; }
lesscolor() { cat $1 | sed 's/#fields\t\|#types\t/#/g' | awk 'BEGIN {FS="\t"};{for(i=1;i<=NF;i++) printf("\x1b[%sm %s \x1b[0m",(i%7)+31,$i);print ""}' | less -RS; }
topconn() { if [ $# -lt 2 ]; then echo "Usage: topconn {resp|orig} {proto|service} {tcp|udp|icmp|http|dns|ssl|smtp|\"-\"}"; else cat conn.log | bro-cut id.$1_h $2 | grep $3 | topcount; fi; }
fields() { grep -m 1 -E "^#fields" $1 | awk -vRS='\t' '/^[^#]/ { print $1 }' | cat -n ; }

## spam_functions.sh
whackspam() { if [ $# -lt 1 ]; then echo "Usage: whackspam <sasl_username>"; else for j in $(for i in $(grep sasl_username=$1 maillog | awk -F'[][]' '{print $4}' | sort -u); do netstat -na | grep $i | awk '{print $5}' | awk -F: '{print $1}'; done); do perl -e "alarm 7; exec @ARGV" "tcpkill -i vlan102 -9 host $j"; done; fi; }

cleanqueue() { if [ $# -lt 1 ]; then echo "Usage: cleanqueue <search term>"; else for i in $(mailq -bpc | grep $1 | egrep -v "^ " | awk '{print $1}'); do postsuper -d $i; done; fi; }

## dns_anomaly.sh
#!/bin/bash

export PATH=/opt/bro/bin:$PATH
BRO_LOGS="/nsm/bro/logs"
TODAY=`date +%Y-%m-%d`
YESTERDAY=`date -d yesterday +%Y-%m-%d`
OLD_DIRS=`ls $BRO_LOGS |egrep -v "current|stats|$TODAY|$YESTERDAY"`
TMPDIR=/tmp
OLDLOG=$TMPDIR/oldlog
NEWLOG=$TMPDIR/newlog

## gist:0397041a12f6b48cb494
sqlite3 /Users/$USER/Library/Messages/chat.db <<EOF
.mode line
select ROWID, text, datetime(date, 'unixepoch', 'localtime') as date from message where handle_id = (select ROWID from handle where id = "+12223334444");
EOF

## gist:75cfeeecbd802e82e7bc
#Cred to: http://fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.html
osascript -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to display dialog "Software Update requires that you type your password to apply changes." & return & return  default answer "" with icon 1 with hidden answer with title "Software Update"'

## update_blacklist.sh
#!/bin/bash

CHAINLIST=$(/sbin/iptables -nL | grep 'Chain block-traffic-from-openbl' | cut -d\  -f 2)

if [ -z $CHAINLIST ]; then
        /sbin/iptables -N block-traffic-from-openbl
        /sbin/iptables -A INPUT -j block-traffic-from-openbl
fi

BLACKLIST=$(/usr/bin/curl -fs http://www.openbl.org/lists/base_7days.txt.gz | gunzip | egrep "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}")

## etc_sysconfig_netsniff-ng
PROM_INTERFACE=enp0s8
USER=99
GROUP=99
INTERVAL=5min
DATA_DIR=/pcap/

## rock_rotate.sh
#!/bin/bash

DATEDIR=$(date +%Y-%m-%d_%H:%M:00)
BRO_FILES_DIR="/capes/bro/extract"
BRO_FILES_ARCHIVE="/capes/bro/extract/${DATEDIR}"
PCAP_FILES_DIR="/pcap/"
PCAP_FILES_ARCHIVE="/pcap/${DATEDIR}"

mkdir -p $BRO_FILES_ARCHIVE
mkdir -p $PCAP_FILES_ARCHIVE
	#!/bin/bash

	TSTAMP=$(date +%s)
	CONF="/tmp/logstash-$TSTAMP.conf"
	PATTERNS="/tmp/bro_patterns_$TSTAMP"

	for j in *.log; do
	LOG=$(echo $j \| sed 's/.log//g')
	FILTNAME=$(echo $LOG \| tr '[:lower:]' '[:upper:]')
	echo -e "BRO$FILTNAME \c" >> $PATTERNS
	#!/bin/bash

	INTELFILE=$1
	DOC=$(curl -# http://elasticinsight-test/ElasticAPI/BroIntelFrameworkIndicatorList 2> /dev/null)
	RECS=$(echo $DOC \| jq '. \| length')
	j=0

	HEADER=$(grep -E "^#" $INTELFILE)

	echo "$HEADER" > $INTELFILE
	alias bro-column="sed \"s/fields.//;s/types.//\" \| column -s $'\t' -t"
	alias bro-awk='awk -F" "'
	bro-grep() { grep -E "(^#)\|$1" $2; }
	bro-zgrep() { zgrep -E "(^#)\|$1" $2; }
	topcount() { sort \| uniq -c \| sort -rn \| head -n ${1:-10}; }
	colorize() { sed 's/#fields\t\\|#types\t/#/g' \| awk 'BEGIN {FS="\t"};{for(i=1;i<=NF;i++) printf("\x1b[%sm %s \x1b[0m",(i%7)+31,$i);print ""}'; }
	cm() { cat $1 \| sed 's/#fields\t\\|#types\t/#/g' \| awk 'BEGIN {FS="\t"};{for(i=1;i<=NF;i++) printf("\x1b[%sm %s \x1b[0m",(i%7)+31,$i);print ""}'; }
	lesscolor() { cat $1 \| sed 's/#fields\t\\|#types\t/#/g' \| awk 'BEGIN {FS="\t"};{for(i=1;i<=NF;i++) printf("\x1b[%sm %s \x1b[0m",(i%7)+31,$i);print ""}' \| less -RS; }
	topconn() { if [ $# -lt 2 ]; then echo "Usage: topconn {resp\|orig} {proto\|service} {tcp\|udp\|icmp\|http\|dns\|ssl\|smtp\|\"-\"}"; else cat conn.log \| bro-cut id.$1_h $2 \| grep $3 \| topcount; fi; }
	fields() { grep -m 1 -E "^#fields" $1 \| awk -vRS='\t' '/^[^#]/ { print $1 }' \| cat -n ; }
	whackspam() { if [ $# -lt 1 ]; then echo "Usage: whackspam <sasl_username>"; else for j in $(for i in $(grep sasl_username=$1 maillog \| awk -F'[][]' '{print $4}' \| sort -u); do netstat -na \| grep $i \| awk '{print $5}' \| awk -F: '{print $1}'; done); do perl -e "alarm 7; exec @ARGV" "tcpkill -i vlan102 -9 host $j"; done; fi; }

	cleanqueue() { if [ $# -lt 1 ]; then echo "Usage: cleanqueue <search term>"; else for i in $(mailq -bpc \| grep $1 \| egrep -v "^ " \| awk '{print $1}'); do postsuper -d $i; done; fi; }
	#!/bin/bash

	export PATH=/opt/bro/bin:$PATH
	BRO_LOGS="/nsm/bro/logs"
	TODAY=`date +%Y-%m-%d`
	YESTERDAY=`date -d yesterday +%Y-%m-%d`
	OLD_DIRS=`ls $BRO_LOGS \|egrep -v "current\|stats\|$TODAY\|$YESTERDAY"`
	TMPDIR=/tmp
	OLDLOG=$TMPDIR/oldlog
	NEWLOG=$TMPDIR/newlog
	sqlite3 /Users/$USER/Library/Messages/chat.db <<EOF
	.mode line
	select ROWID, text, datetime(date, 'unixepoch', 'localtime') as date from message where handle_id = (select ROWID from handle where id = "+12223334444");
	EOF
	#Cred to: http://fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.html
	osascript -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to display dialog "Software Update requires that you type your password to apply changes." & return & return default answer "" with icon 1 with hidden answer with title "Software Update"'
	#!/bin/bash

	CHAINLIST=$(/sbin/iptables -nL \| grep 'Chain block-traffic-from-openbl' \| cut -d\ -f 2)

	if [ -z $CHAINLIST ]; then
	/sbin/iptables -N block-traffic-from-openbl
	/sbin/iptables -A INPUT -j block-traffic-from-openbl
	fi

	BLACKLIST=$(/usr/bin/curl -fs http://www.openbl.org/lists/base_7days.txt.gz \| gunzip \| egrep "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}")
	PROM_INTERFACE=enp0s8
	USER=99
	GROUP=99
	INTERVAL=5min
	DATA_DIR=/pcap/
	#!/bin/bash

	DATEDIR=$(date +%Y-%m-%d_%H:%M:00)
	BRO_FILES_DIR="/capes/bro/extract"
	BRO_FILES_ARCHIVE="/capes/bro/extract/${DATEDIR}"
	PCAP_FILES_DIR="/pcap/"
	PCAP_FILES_ARCHIVE="/pcap/${DATEDIR}"

	mkdir -p $BRO_FILES_ARCHIVE
	mkdir -p $PCAP_FILES_ARCHIVE