Skip to content

Instantly share code, notes, and snippets.

@matehat

matehat/send_cef.exs

Last active March 11, 2016 06:50
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save matehat/42bec7ddfc359c41d0d8 to your computer and use it in GitHub Desktop.
Save matehat/42bec7ddfc359c41d0d8 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
send_cef.exs
Socket.Stream.send!(Socket.TCP.connect!("127.0.0.1", 4423), "CEF:0|FireEye|MPS|7.5.1.318703|rule:101|IDS Event|High| eventId=2141190323 msg=IDS Event type=2 mrt=1428703736994 sessionId=0 generatorID=36sldpUwBABCATI71Gm9j2A\\=\\= categorySignificance=/Compromise categoryBehavior=/Communicate/Query categoryDeviceGroup=/IDS/Network catdt=NULL categoryOutcome=/Attempt categoryObject=/Host/Application/Malware modelConfidence=0 severity=8 relevance=10 assetCriticality=0 priority=8 art=1428703757464 cat=/Rule/Fire deviceSeverity=1 rt=1428704456000 shost=rnddevsaw701.csgsecint.com src=10.7.4.10 sourceZoneID=ML8022AABABCDTFpYAT3UdQ\\=\\= sourceZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 10.0.0.0-10.255.255.255 dst=10.7.2.20 destinationZoneID=ML8022AABABCDTFpYAT3UdQ\\=\\= destinationZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 10.0.0.0-10.255.255.255 dpt=1177 fname=IDS Event filePath=/All Rules/Real-time Rules/RSA_2015/IDS Event fileType=Rule ruleThreadId=ovRgpUwBABDEwqrJb1q6xQ\\=\\= cs1=Trojan_njRAT cs2=<Resource URI\\=\"/All Rules/Real-time Rules/RSA_2015/IDS Event\" ID\\=\"5kM+2pEwBABCJUIiZNcqbLQ\\=\\=\"/> cs4=https://10.7.3.33/event_stream/events_for_bot?ev_id\\=2&lms_iden\\=00:25:90:AE:E9:A8 cs5=10.7.2.20 cn1=0 cn2=900002 cn3=1177 locality=1 cs1Label=sname cs2Label=Configuration Resource cs4Label=link cs5Label=cncHost cn1Label=vlan cn2Label=sid cn3Label=cncPort ahost=atlseciasesm01.csgsecint.com agt=10.7.3.32 av=5.2.7.6582.0 atz=US/Eastern aid=36sldpUwBABCATI71Gm9j2A\\=\\= at=superagent_ng dvchost=ALTSECIFESEN01 dvc=127.0.0.1 deviceZoneID=ML8022AABABCDTFpYAT3UdQ\\=\\= deviceZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 10.0.0.0-10.255.255.255 dtz=US/Eastern deviceFacility=Rules Engine eventAnnotationStageUpdateTime=1428703737995 eventAnnotationModificationTime=1428703737995 eventAnnotationAuditTrail=1,1408897633365,root,Queued,,,, eventAnnotationVersion=1 eventAnnotationFlags=0 eventAnnotationEndTime=1428704456000 eventAnnotationManagerReceiptTime=1428703736994 _cefVer=0.1 ad.arcSightEventPath=3A6ubN0QBABCAYvhhQ261mQ\\")
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment