jeffgeiger

#!/usr/bin/env ruby

# Parse nginx logs with ruby
# http://rubular.com/r/2wVbwiZPMS
# (?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) - .{0}- \[(?<day>[\d]{2})\/(?<mon>[\w]+)\/(?<yr>[\d]{4})\:(?<hr>[\d]{2})\:(?<min>[\d]{2})\:(?<sec>[\d]{2}) [^$]+\] "(?<method>GET|POST|PUT|DELETE) (?<uri>[^\s]+?) HTTP\/1\.1" (?<response>[\d]+) [\d]+ "(?<referrer>[^\s]+?)" "(?<agent>[^\"]+?)"

require 'sqlite3'

dbfile = ARGV[0]

jeffgeiger

#!/bin/bash

LINES=$(wc -l /nsm/bro/logs/current/intel.log | awk '{print $1}')

if [[ $LINES -gt 8 ]]; then 
  echo -e "<font face='monospace, monospace' size='1'>\n<pre>\n $(cat /nsm/bro/logs/current/intel.log | while read line; do echo "$line </br>"; done) \n</pre>\n</font>" | mail -a "Content-Type: text/html" -s "Bro Intel Hits - $(date)" some.address@domain.tld
fi

exit 0

jeffgeiger

global ext_map: table[string] of string = {
    ["application/x-dosexec"] = "exe",
    ["application/zip"] = "zip",
    ["application/x-gtar"] = "gzip",
    ["application/x-rar-compressed"] = "rar",
    ["application/x-apple-diskimage"] = "dmg",
    ["application/x-7z-compressed"] = "tz",
    ["application/x-gzip"] = "gz",
    ["application/x-bzip2"] = "bz",
    ["application/x-lzma"] = "lzma",

jeffgeiger

#!/bin/bash

DATEDIR=$(date +%Y-%m-%d_%H:%M:00)
BRO_FILES_DIR="/capes/bro/extract"
BRO_FILES_ARCHIVE="/capes/bro/extract/${DATEDIR}"
PCAP_FILES_DIR="/pcap/"
PCAP_FILES_ARCHIVE="/pcap/${DATEDIR}"

mkdir -p $BRO_FILES_ARCHIVE
mkdir -p $PCAP_FILES_ARCHIVE

jeffgeiger

PROM_INTERFACE=enp0s8
USER=99
GROUP=99
INTERVAL=5min
DATA_DIR=/pcap/

jeffgeiger

#!/bin/bash

CHAINLIST=$(/sbin/iptables -nL | grep 'Chain block-traffic-from-openbl' | cut -d\  -f 2)

if [ -z $CHAINLIST ]; then
        /sbin/iptables -N block-traffic-from-openbl
        /sbin/iptables -A INPUT -j block-traffic-from-openbl
fi

BLACKLIST=$(/usr/bin/curl -fs http://www.openbl.org/lists/base_7days.txt.gz | gunzip | egrep "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}")

jeffgeiger

#Cred to: http://fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.html
osascript -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to display dialog "Software Update requires that you type your password to apply changes." & return & return  default answer "" with icon 1 with hidden answer with title "Software Update"'

jeffgeiger

sqlite3 /Users/$USER/Library/Messages/chat.db <<EOF
.mode line
select ROWID, text, datetime(date, 'unixepoch', 'localtime') as date from message where handle_id = (select ROWID from handle where id = "+12223334444");
EOF

jeffgeiger

#!/bin/bash

export PATH=/opt/bro/bin:$PATH
BRO_LOGS="/nsm/bro/logs"
TODAY=`date +%Y-%m-%d`
YESTERDAY=`date -d yesterday +%Y-%m-%d`
OLD_DIRS=`ls $BRO_LOGS |egrep -v "current|stats|$TODAY|$YESTERDAY"`
TMPDIR=/tmp
OLDLOG=$TMPDIR/oldlog
NEWLOG=$TMPDIR/newlog

jeffgeiger

whackspam() { if [ $# -lt 1 ]; then echo "Usage: whackspam <sasl_username>"; else for j in $(for i in $(grep sasl_username=$1 maillog | awk -F'[][]' '{print $4}' | sort -u); do netstat -na | grep $i | awk '{print $5}' | awk -F: '{print $1}'; done); do perl -e "alarm 7; exec @ARGV" "tcpkill -i vlan102 -9 host $j"; done; fi; }

cleanqueue() { if [ $# -lt 1 ]; then echo "Usage: cleanqueue <search term>"; else for i in $(mailq -bpc | grep $1 | egrep -v "^ " | awk '{print $1}'); do postsuper -d $i; done; fi; }