Skip to content

Instantly share code, notes, and snippets.

View lennartkoopmann's full-sized avatar
🤠

Lennart Koopmann lennartkoopmann

🤠
View GitHub Profile
packetbeat.interfaces.device: any
packetbeat.protocols.dns:
ports: [53]
include_authorities: true
include_additionals: true
name: tap
output.logstash:
hosts: ["graylog.example.org:12200"]
[lennart@sundaysister ~ ]$ tar -cf test.tar Downloads/
load: 2.21 cmd: bsdtar 21161 running 0.00u 0.35s
In: 80 files, 62984192 bytes; Out: 62976000 bytes, compression 0%
Current: Downloads/DockerToolbox-1.11.0.pkg (48627712/188520546 bytes)
PUTVAL "temperatures/case_internal" interval=60 N:100.4
---
temperatures case_internal:GAUGE:U:U
@lennartkoopmann
lennartkoopmann / graylog_pipeline_rule_snort.rxt
Created July 19, 2016 21:26
Parsing a Snort alert message with the Graylog Processor Pipelines
rule "Extract Snort alert fields"
when
has_field("message")
then
let m = regex("^\\s?\\[(\\d+):(\\d+):(\\d+)\\] (.+?) \\[Classification: (.+?)\\] \\[Priority: (\\d+)] \\{(.+?)\\} (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}):(\\d{1,5}) -> (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}):(\\d{1,5})\\R?", to_string($message.message));
set_field("snort_alert", true);
set_field("generator_id", m["0"]);
set_field("signature_id", m["1"]);
Time: 07/17-15:44:51.136436
event_ref: 0
192.168.1.4 -> 192.168.1.24 (portscan) TCP Portscan
Priority Count: 9
Connection Count: 10
IP Count: 1
Scanner IP Range: 192.168.1.4:192.168.1.4
Port/Proto Count: 10
Port/Proto Range: 23:8888
# Run complete. Total time: 00:05:07
Benchmark Mode Cnt Score Error Units
LazyQuantifierBenchmark.greedyMatchEarly avgt 50 2.432 ± 0.053 us/op
LazyQuantifierBenchmark.greedyMatchLate avgt 50 0.788 ± 0.045 us/op
LazyQuantifierBenchmark.lazyMatchEarly avgt 50 0.623 ± 0.003 us/op
LazyQuantifierBenchmark.lazyMatchLate avgt 50 2.281 ± 0.154 us/op
Input strings:
"early":
at=info status=302 method=GET path="/repo/debian/dists/trusty/1.2/binary-amd64/Packages.gz" host=packages.graylog2.org request_id=f9de9767-2aa1-4e64-8d82-36f8ace006e1 fwd="54.215.46.35" dyno=web.1 connect=0ms service=1ms bytes=287
"late":
at=info method=GET path="/repo/debian/dists/trusty/1.2/binary-amd64/Packages.gz" host=packages.graylog2.org request_id=f9de9767-2aa1-4e64-8d82-36f8ace006e1 fwd="54.215.46.35" dyno=web.1 connect=0ms service=1ms status=302 bytes=287
Regular expressions:
Regular expression: (a+)+Z
"unexpectedInput1": aaaaaaaaaaaaaaaaaaaaaa
"unexpectedInput2": aaaaaaaaaaaaaaaaaaaaaaa
"expectedInput": aaaaaaaaaaaaaaaaaaaaaaaZ
# Run complete. Total time: 00:02:35
Benchmark Mode Cnt Score Error Units
UnexpectedInputBenchmark.expectedInput avgt 50 0.186 ± 0.034 us/op
UnexpectedInputBenchmark.unexpectedInput1 avgt 50 246381.032 ± 23649.682 us/op
UnexpectedInputBenchmark.unexpectedInput2 avgt 50 453904.349 ± 23412.333 us/op
@State(Scope.Benchmark)
@BenchmarkMode(Mode.AverageTime)
@OutputTimeUnit(TimeUnit.MICROSECONDS)
public class DateRegexBenchmark {
private static final String MESSAGE = "2015-12-15T07:36:25+00:00 sundaysister kernel[0]: **** [IOBluetoothHostControllerUSBTransport][ClearFeatureInterruptEndpointHalt] -- successfully posting another read for the mInt0InterruptPipe -- mInterruptPipeInOutstandingIOCount = 1 -- this = 0xb800";
private static Pattern VERY_DESCRIPTIVE;
private static Pattern DESCRIPTIVE;
private static Pattern OPEN;