Skip to content

Instantly share code, notes, and snippets.

Avatar

Jorrit Folmer jorritfolmer

View GitHub Profile
@jorritfolmer
jorritfolmer / gist:c421749cd1520b8e2425bd80dc7f25de
Created Feb 16, 2021
Regex to parse AWS Route53 DNS logging in Splunk via CloudWatch logs
View gist:c421749cd1520b8e2425bd80dc7f25de

AWS Route53 DNS logging via CloudWatch Logs

^\S+ \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d+Z \S+ (?<query>\S+) (?<record_type>\S+) (?<reply_code>\S+) (?<transport>\w+) (?<dest>\S+) (?<src>\S+) (?<vendor_edns_client_subnet>\S+)

View gist:d6713c344e173765b06352b858b186ba

Installing MITRE Caldera on RHEL7

Doesn't seem to want to run in a virtualenv, not sure why.

Steps

  1. yum install rh-python36
  2. yum install gcc
  3. scl enable rh-python36 bash
  4. git clone https://github.com/mitre/caldera.git --recursive --branch 2.7.0
@jorritfolmer
jorritfolmer / transpose_mitre_eval_apt29.md
Created Apr 27, 2020
Transpose MITRE EDR APT29 results for better Splunking
View transpose_mitre_eval_apt29.md

Onboarding MITRE EDR evaluations round 2 (APT29) into Splunk

MITRE have just published the JSON results of their EDR evalutions simulating APT29. However also this time their structure makes it difficult to Splunk. Use this Python script for easier Splunking.

Usage

$ python transpose_mitre_eval_apt29.py file.json > file_for_splunk.json
@jorritfolmer
jorritfolmer / transpose_mitre_attack_evals.md
Last active Apr 27, 2020
Script to transpose JSON files from MITRE ATTACK EDR evaluations for easier use in Splunk
View transpose_mitre_attack_evals.md

Comparing MITRE ATTACK evaluations of EDR software in Splunk, APT3

The JSON results of the APT3 evaluations can be found here: Round 1, APT3. For easier Splunking you have to transpose the JSON files from MITRE with the script below. This allows you to perform searches to compare detection results from each EDR vendor.

Usage

$ python transpose_mitre_eval.py file_from_mitre.json > better_file_for_splunking.json
View Systemd unit file for Splunk.md
[Unit]
After=network.target
Wants=network.target
Description=Splunk Enterprise


[Service]
Type=forking
RemainAfterExit=False
@jorritfolmer
jorritfolmer / qemu-kvm-ovirt-windows-server-2016.md
Last active Mar 12, 2021
Installing Windows Server 2016 on oVirt qemu/kvm
View qemu-kvm-ovirt-windows-server-2016.md

Installing Windows Server 2016 on Ovirt v4 qemu/kvm

The install fails with BSOD and "Your PC ran into a problem and needs to restart. We're just collecting some error info, and then we'll restart for you."

Windows installer BSOD on qemu/kvm

After reboot it returns with the following message: "The computer restarted unexpectedly or encountered an unexpected error. Windows installation cannot proceed. To install Windows, click OK to restart the computer, and then restart the installation.":

Windows installer restarted unexpectedly on qemu/kvm

@jorritfolmer
jorritfolmer / gist:bc6374b48bde2ba99f983cc0889da8a9
Last active Aug 30, 2018
NXlog config to create a syslog server on Windows
View gist:bc6374b48bde2ba99f983cc0889da8a9

NXlog config to create a syslog server on Windows

Creates a log file for each connecting syslog client, based on IP address. Also takes care of rotating the files, limiting the archive to 5 log files of 100M This config is meant to allow a Splunk Universal Forwarder to collect the syslog files, using the following inputs.conf:

inputs.conf (Splunk):

[monitor://c:/log/192.168.1.1/*.log]
View rhel7-docker-splunk.md

Dockerfile

# Well ok CENTOS then
FROM centos:7

# Point to your local repository with Splunk(forwarder)s
RUN echo $'[splunk]\n\
name=Splunk\n\
baseurl=http://repo.testlab.local/splunk\n\
@jorritfolmer
jorritfolmer / rhel7-docker-quickstart.md
Last active Jan 8, 2016
Docker on RHEL7 quickstart, the OpenVZ way
View rhel7-docker-quickstart.md

Docker on RHEL 7 quickstart

NOTE: below is an attempt to build a container that can be used as as OS-container instead of an application-container. Like OpenVZ, but by using Docker. Currently this requires running the containers in privileged more, which doesn't really seperate the containers in a secure fashion

It does result in a container with a public IP address, running systemd, that you can also SSH to

Prerequisites: enable the rhel-7-server-extras-rpms yum repository

Installation

View libnss_ato.spec.md

Spec file to generate libnss-ato RPMS for RHEL systems

Name:		libnss-ato
Version:	1.0
Release:	1%{?dist}
Summary:	NSS catchall module

Group:		System Environment/Libraries
License:	GPL 2.0