| #!/usr/bin/env python3 | |
| from collections import namedtuple | |
| from fractions import gcd | |
| from math import ceil, sqrt | |
| # Calculating distances with bounces and stuff is...a pain, but given our bounce rules we | |
| # can instead construct infinite congruent rooms, mirrored about each other, which in | |
| # effect "unwraps" the bouncing line into just a straight one. In ascii form: |
When run on a box, outputs a single row of JSON for every proc on the box that loads a jar/war that contains any files with 'log4j' in them, including precisely what triggered the match. For example (pretty printed here for clarity; note that this one is happily a false positive):
{
"node": "HW0000001",
"time": 1632617610.3860812,
"pid": 78676,
"cmd": "/usr/local/opt/openjdk/libexec/openjdk.jdk/Contents/Home/bin/java",
"args": [
"-Xms128M",
| import z3 | |
| def sym_xoroshiro128plus(solver, sym_s0, sym_s1, mask, result): | |
| s0 = sym_s0 | |
| s1 = sym_s1 | |
| sym_r = (sym_s0 + sym_s1) | |
| condition = z3.Bool('c0x%0.16x' % result) | |
| solver.add(z3.Implies(condition, (sym_r & mask) == result & mask)) |
| [ | |
| { | |
| "music": [ | |
| { | |
| "artist": "Dinah Washington", | |
| "song": "Destination Moon", | |
| "time": "00:05:40.49" | |
| }, | |
| { | |
| "artist": "Frank Sinatra", |
| UPDATE <TABLE> SET | |
| <COLUMN>=<RANGE_TYPE>( | |
| lower(<COLUMN>), -- Swap out for actual value | |
| upper(<COLUMN>), -- Swap out for actual value | |
| concat( | |
| CASE WHEN lower_inc(<COLUMN>) THEN '[' ELSE '(' END, | |
| CASE WHEN upper_inc(<COLUMN>) THEN ']' ELSE ')' END | |
| ) | |
| ) | |
| WHERE <CONDITION>; |
| import re | |
| from urllib.parse import unquote | |
| FLAGS = re.IGNORECASE | re.DOTALL | |
| ESC_DOLLAR = r'(?:\$|[\\%]u0024||\\x24|\\0?44|%24)' | |
| ESC_LCURLY = r'(?:\{|[\\%]u007B|\\x7B|\\173|%7B)' | |
| ESC_RCURLY = r'(?:\}|[\\%]u007D|\\x7D|\\175|%7D)' | |
| _U_PERCENT_ESCAPE_RE = re.compile(r'%(u[0-9a-f]{4})', flags=FLAGS) | |
| _PERCENT_ESCAPE_RE = re.compile(r'%[0-9a-f]{2}', flags=FLAGS) |
| private rule Macho | |
| { | |
| meta: | |
| description = "private rule to match Mach-O binaries (copied from Apple's XProtect)" | |
| condition: | |
| uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca | |
| } | |
| rule ZoomDaemon | |
| { |
| #!/bin/env python3 | |
| import dataclasses | |
| import re | |
| import socket | |
| import ssl as _ssl | |
| import types | |
| from collections import namedtuple, OrderedDict | |
| from dataclasses import dataclass | |
| from io import StringIO | |
| from itertools import chain |
| {"Adair":{"4SE ORIENT":{"Bennet":{"First Expression":0.0,"Final Expression":0.0,"SDE":0.0},"Biden":{"First Expression":7.0,"Final Expression":7.0,"SDE":0.1569},"Bloomberg":{"First Expression":0.0,"Final Expression":0.0,"SDE":0.0},"Buttigieg":{"First Expression":6.0,"Final Expression":6.0,"SDE":0.1569},"Delaney":{"First Expression":0.0,"Final Expression":0.0,"SDE":0.0},"Gabbard":{"First Expression":0.0,"Final Expression":0.0,"SDE":0.0},"Klobuchar":{"First Expression":6.0,"Final Expression":6.0,"SDE":0.1569},"Patrick":{"First Expression":0.0,"Final Expression":0.0,"SDE":0.0},"Sanders":{"First Expression":6.0,"Final Expression":6.0,"SDE":0.0784},"Steyer":{"First Expression":0.0,"Final Expression":0.0,"SDE":0.0},"Warren":{"First Expression":9.0,"Final Expression":9.0,"SDE":0.2353},"Yang":{"First Expression":0.0,"Final Expression":0.0,"SDE":0.0},"Other":{"First Expression":0.0,"Final Expression":0.0,"SDE":0.0},"Uncommitted":{"First Expression":0.0,"Final Expression":0.0,"SDE":0.0}},"1NW ADAIR":{"Bennet":{"First Ex |
