Lennart Haagsma lhaagsma
lhaagsma
/ port_to_service.py
Created
May 31, 2019 22:59
Download and provide interface to port to service (better then socket.getservbyport, as /etc/services is not always complete)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import os | |
| import csv | |
| import requests | |
| CSV_DIR = 'resources' | |
| CSV_PATH = 'resources/service-names-port-numbers.csv' | |
| URL = 'https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.csv' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import os | |
| import requests | |
| import StringIO | |
| import tarfile | |
| try: | |
| from geoip2.database import Reader | |
| GEO = True |
lhaagsma
/ fungly named regex for snort fast alert
Created
March 7, 2016 09:02
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| "(?P<timestamp>../../..-..:..:..\.[0-9]+) .... \[(?P<engine>[0-9]):(?P<sid>[0-9]+):(?P<revision>[0-9]+)\] (?P<msg>.*) \[\*\*\] \[Classification: (?P<classification>[^\]]+)] \[Priority: (?P<priority>[0-9])\] {(?P<proto>[^}]+)} (?P<source_ip>([0-9]{1,3}\.){3}[0-9]{1,3}):(?P<source_port>[0-9]+) -> (?P<destination_ip>([0-9]{1,3}\.){3}[0-9]{1,3}):(?P<destination_port>[0-9]+)" |
lhaagsma
/ Top_isp_with_ntp_servers_2014.12.19
Created
December 19, 2014 21:03
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 146336 AS7029 Windstream Communications Inc | |
| 141008 AS4134 Chinanet | |
| 137497 AS17506 UCOM Corp. | |
| 126115 AS3320 Deutsche Telekom AG | |
| 91797 AS4837 CNCGROUP China169 Backbone | |
| 84049 AS3786 LG DACOM Corporation | |
| 77853 AS7018 AT&T Services, Inc. | |
| 71418 AS4766 Korea Telecom | |
| 56665 AS2516 KDDI KDDI CORPORATION | |
| 52965 AS17858 KRNIC |
lhaagsma
/ Top_nl_isp_ntp_servers_2014.12.19
Created
December 19, 2014 21:01
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 2485 AS28685 Routit BV | |
| 2264 AS9143 Ziggo B.V. | |
| 2248 AS1103 SURFnet, The Netherlands | |
| 2049 AS286 KPN Internet Backbone | |
| 1727 AS33915 Vodafone Libertel B.V. | |
| 1099 AS20847 Previder B.V. | |
| 1012 AS21155 ProServe B.V. | |
| 911 AS6830 Liberty Global Operations B.V. | |
| 902 AS5390 Online Breedband B.V. Global AS | |
| 822 AS8608 EspritXB B.V. |
lhaagsma
/ RecentSSDP
Created
November 3, 2014 22:58
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Observed SSDP attacks: | |
| 50173 2014-11-01 81.177.5.46 | |
| 8662 2014-10-15 69.31.20.66 | |
| 7493 2014-10-18 176.57.216.61 | |
| 4671 2014-11-01 195.253.65.2 | |
| 3616 2014-10-30 176.57.216.61 | |
| 2176 2014-11-01 195.253.64.10 | |
| 1423 2014-11-02 81.177.5.46 | |
| 1016 2014-11-03 81.177.5.46 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # TOP NTP based attacks I've observed recently | |
| 339186 Oct 25, 2014 185.63.252.104 | |
| 251008 Oct 26, 2014 185.63.252.104 | |
| 215917 Oct 28, 2014 185.63.252.104 | |
| 164784 Oct 26, 2014 185.63.252.10 | |
| 91341 Nov 3, 2014 149.6.190.214 | |
| 35068 Oct 26, 2014 37.187.72.59 | |
| 32872 Oct 28, 2014 54.69.195.196 | |
| 29943 Oct 31, 2014 107.167.25.154 |
lhaagsma
/ PoodleIptables
Created
October 16, 2014 20:27
Drop successful SSLv3 connections using IPtables
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Matching 'SSL SERVER HELLO' packets using IPtables | |
| # Using some connection tracking to make sure not | |
| # to match randomly in the middle of some huge SSL | |
| # session. | |
| iptables --insert INPUT -p tcp --sport 443 \ | |
| -m connbytes --connbytes-mode bytes --connbytes-dir both --connbytes 0:500 \ | |
| -m state --state ESTABLISHED \ | |
| -m length --length 46:375 \ | |
| -m u32 --u32 "\ |