jpclipffel

#!/bin/bash
# A chromium launcher which disable some features but -sould- improve privacy
# and faster browsing.
# Flags list: http://peter.sh/experiments/chromium-command-line-switches/

CHROMIUM="chromium"

$CHROMIUM \
    --incognito \
    --cryptauth-http-host "" \

jpclipffel

#include "class.hh"

/**
 * Default constructor.
 * Initialize class attributs using initialization list.
 */
myClass::myClass():
  number(42),
  letter('A')
{

jpclipffel

Example of an C++ module (== dynamic library which exports an object).
* cpp_imod.hh: Module interface;
* cpp_module.hh: Module implementation header;
* cpp_module.cpp: Module implementation source;
* cpp_modloader-dlfcn.cpp: Load and call module.

jpclipffel

# Select the search space (index, sourcetype, eventtypes, ...) and basic filters (ip, range, ...)
index=* sourcetype="my_super_ids" src!=64.39.96.0/20

# Optional - Reduce the number of event types (optional).
| eval action=case(action="allowed", "allowed", action="blocked", "blocked", true(), "not_allowed")

# Group the results over the required dimensions (usually source/destination/action).
| stats count(action) as action_count by src, dest, action

# Reduce the dimensions count to facilitate the analysis.

jpclipffel

import sys


class Root:

    # Derived class references.
    # As the classes Alpha and Beta are not already defined, their names are
    # stored instead of their reference ("Alpha" instead of Alpha).
    __derived = {
        "alpha": {"class": "Alpha", "count": 0},

jpclipffel

# Data set.
data = ['a', 'b', 'b', 'c', 'd', 'e', 'a', 'f', 'e']

# Solution 1 - Keep first occurence only (preserves the list order)
print([ v for p, v in enumerate(data) if v not in data[0:data.index(v, p)] ])

# Solution 2 - Keep last occurence only (preserves the list order)
print([ v for p, v in enumerate(data) if v not in data[data.index(v, p)+1:] ])

# Solution 3 - Using 'set' (do **not** preserve the list order !)

jpclipffel

Elasticsearch - Aggregations and buckets filtering

How to aggregate search results over specific fields (Buckets Aggregations), calculate their properties (Metrics Aggregation) and filter buckets on their properties (Pipeline Aggregation).

Scenario

This is the search scenario (what we would like to catch):

Find out a potential web sweep (an attacker looking for listening HTTP servers in the network). If a single IP try to connect on too amby hosts on the same port, it may indicates a suspicous activity.

Initial search

Search for all documents with a dest_port field matching the value 80 over the past 3 days.

jpclipffel

Splunk - Data input routing

How to map logs received from multiple hosts on the same local port to the correct sourcetype and index.

Scenario

The Splunk data input UDP:514 receives events from the following devices:

• 10.0.0.1: A Netfilter firewall
• 10.0.0.2: A Squid proxy instance (1/2)
• 10.0.0.3: A Squid proxy instance (2/2)

We want to separate logs comming from the Firewall (10.0.0.1) and the Proxies (10.0.0.2 and 10.0.0.3):

jpclipffel

Splunk - Simple alert whitelist

Whitelist definition

The CSV defines two columns:

• alert_name: The Splunk alert on which the whitelisted IP (next column) is applied
• The second column name must match with the alert field to whitelist

Example - src_ip_whitelist.csv

alert_name,      src_ip

jpclipffel

Splunk - Swift SAA JSON logs

How to ingest Swift SAA (Swift Alliance Access) logs in Splunk

SAA confguration

The SAA must be configured to:

• forwards its logs through syslog
• use the JSON (not formatted) format