This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# MISP WEB SERVER CONFIGURATION | |
server { | |
server_name {{server_name}}; | |
listen 443 ssl; | |
root /var/www/MISP/app/webroot; | |
index index.php; | |
access_log /var/log/nginx/misp.access.log; | |
error_log /var/log/nginx/misp.error.log; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
upstream elasticsearch { | |
server 127.0.0.1:19200; | |
keepalive 15; | |
} | |
server { | |
listen 9200; | |
location / { | |
limit_except GET POST PUT { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
upstream kibana { | |
server 127.0.0.1:5601; | |
keepalive 15; | |
} | |
server { | |
listen 80 default_server; | |
server_name _; | |
location / { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
URIs: | |
/isma.php | |
/dug.php | |
/rss.php | |
/power2.php | |
/mm.php | |
IPs: | |
45.7.230.59 | |
45.7.230.85 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
# This is a script to query the Kaspersky OpenTIP | |
# Dunno if the "cym9cgwjk" header is going to expire, but you can get it from a normal connection to the platform. | |
# And sorry Kaspersky if you don't intend the platform to be used like this, I can remove this content | |
import requests | |
import sys | |
from os import path | |
cym9cgwjk = "G27TVJWVYdVHJW15auIG0v3ViYJJmqWi7leK4mPw/BgKEAAAAAAAAAAAAAD//y0H5/YSEB4pNeCdtYNFyD9vmrTrDIQY2azN0/su" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#! /usr/bin/env python3 | |
import json | |
import logging | |
import zmq | |
import time | |
import re | |
from pymisp import ExpandedPyMISP | |
#################################### |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rule detect_strange_msi { | |
meta: | |
author = "Ricardo Monreal (@joydragon)" | |
description = "Yara de prueba para detectar patrones extraños de campaña de N40/Mekotio en Chile. Actualizada 2021-11-03" | |
strings: | |
// Hex que diga "Fichero", "TGR" o "Arquivo ... cargando" como parte del "Subject" | |
$bytes_1 = { 03 00 00 00 0a 00 00 00 1e 00 00 00 ?? 00 00 00 46 69 63 68 65 72 6f 00 1e } | |
$bytes_2 = { 03 00 00 00 0a 00 00 00 1e 00 00 00 ?? 00 00 00 54 47 52 00 1e } | |
$bytes_3 = { 03 00 00 00 0a 00 00 00 1e 00 00 00 ?? 00 00 00 41 72 71 75 69 76 6f 20 2e 2e 2e 20 63 61 72 67 61 6e 64 6f 00 00 00 00 1e } |