mcm

## create_sa_jetpack_filling.js
/*
  For use with KubeJS. Allows for filling jetpacks and tanks via Spouts in Create.
  Also depends on PowerfulJS.

  Save this as a startup_script in your KubeJS directory.

  Capacity is mapped in a way that is equivalent to manual filling, e.g. each bucket
  fills by 100.0 "units", so a small tank requires 8 buckets to fill, and a large
  tank requires 32 buckets to fill.


## extract_regex.py
def extract_regex(input_text=None, regex=None, **kwargs):
    """
    Args:
        input_text
        regex

    Returns a JSON-serializable object that implements the configured data paths:
        groups
        groupdict.*
    """

## gist:79488685520826617fce4c0913e2bd74
| rest splunk_server=local /services/alerts/suppressions | table title author search disabled description updated
| rex field=search max_match=100 "\s(?!source)(?P<fields>(\w+))(=|>|<)"
| stats values(fields) as fields by title author search disabled description updated
| rex field=search max_match=2 "_time(\<|\>|\=).(?P<time_fields>.[^\s]+)"
| rex field=search max_match=2 "_time(?P<time_comparators>.[^\d+]*)"
| eval multi_times=if(mvcount(time_fields) > 1, "True", "False")
| eval start_time=mvindex(time_fields, 0)
| eval end_time=mvindex(time_fields, 1)
| fillnull start_time, end_time value="0"
| fillnull time_comparators value="-"

## LICENSE.hurricanelabs.txt
This app is based on the alert_webhook app included by Splunk, and is subject to all applicable license terms therein.
All modifications made to that app by Hurricane Labs in the creation of this app, as of 13 May 2020, are licensed
under the MIT license as included below. Unless otherwise noted, all future modifications made by Hurricane Labs are
also licensed under the same license terms. The most recent diff showing changes made by Hurricane Labs can be found at:

https://gist.github.com/mcm/fcbb9bd0e0c366626bd16f3495ecaf85


Portions Copyright (c) 2020 Hurricane Labs

## pwdecrypt.py
import argparse
import getpass

import splunk.entity as entity
import splunk.auth

ap = argparse.ArgumentParser()
ap.add_argument("--username", required=True)
ap.add_argument("--password", required=False)
ap.add_argument("--app")

## multi.conf
[multi]
machinery = xenserver,physical

## s3cookiejar.py
import http.cookiejar
import io

import boto3
import botocore


class S3CookieJar(http.cookiejar.LWPCookieJar):
    bucket = None
    filename = None

## HOWTO.txt
**Only really tested on Ubuntu 16.04**

Requirements:
* Two Linux systems (one to send traffic, one to receive)
* Network connectivity over UDP 4789

Sender Setup
* Install daemonlogger (sudo apt install daemonlogger)
* Save systemd service config as /etc/systemd/system/daemonlogger@.service (replace X.X.X.X with IP of receiver)
* Reload systemd (sudo systemctl daemon-reload)

## abuse_ch_ransomware.rules
################################################################################
# Domain Blacklist Rules: https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt
################################################################################
################################################################################
# URL Blacklist Rules: https://ransomwaretracker.abuse.ch/downloads/RW_URLBL.txt
################################################################################

## mcmfw1.ruleset
#!/usr/sbin/nft -f
flush ruleset
add table inet filter
add chain inet filter input { type filter hook input priority 0 ; policy accept ; }
add chain inet filter output { type filter hook output priority 0 ; policy accept ; }
add chain inet filter forward { type filter hook forward priority 0 ; policy accept ; }
add chain inet filter floating
add chain inet filter wan
add chain inet filter vlan2
add chain inet filter vlan15
	/*
	For use with KubeJS. Allows for filling jetpacks and tanks via Spouts in Create.
	Also depends on PowerfulJS.

	Save this as a startup_script in your KubeJS directory.

	Capacity is mapped in a way that is equivalent to manual filling, e.g. each bucket
	fills by 100.0 "units", so a small tank requires 8 buckets to fill, and a large
	tank requires 32 buckets to fill.
	def extract_regex(input_text=None, regex=None, **kwargs):
	"""
	Args:
	input_text
	regex

	Returns a JSON-serializable object that implements the configured data paths:
	groups
	groupdict.*
	"""
	\| rest splunk_server=local /services/alerts/suppressions \| table title author search disabled description updated
	\| rex field=search max_match=100 "\s(?!source)(?P<fields>(\w+))(=\|>\|<)"
	\| stats values(fields) as fields by title author search disabled description updated
	\| rex field=search max_match=2 "_time(\<\|\>\|\=).(?P<time_fields>.[^\s]+)"
	\| rex field=search max_match=2 "_time(?P<time_comparators>.[^\d+]*)"
	\| eval multi_times=if(mvcount(time_fields) > 1, "True", "False")
	\| eval start_time=mvindex(time_fields, 0)
	\| eval end_time=mvindex(time_fields, 1)
	\| fillnull start_time, end_time value="0"
	\| fillnull time_comparators value="-"
	This app is based on the alert_webhook app included by Splunk, and is subject to all applicable license terms therein.
	All modifications made to that app by Hurricane Labs in the creation of this app, as of 13 May 2020, are licensed
	under the MIT license as included below. Unless otherwise noted, all future modifications made by Hurricane Labs are
	also licensed under the same license terms. The most recent diff showing changes made by Hurricane Labs can be found at:

	https://gist.github.com/mcm/fcbb9bd0e0c366626bd16f3495ecaf85


	Portions Copyright (c) 2020 Hurricane Labs
	import argparse
	import getpass

	import splunk.entity as entity
	import splunk.auth

	ap = argparse.ArgumentParser()
	ap.add_argument("--username", required=True)
	ap.add_argument("--password", required=False)
	ap.add_argument("--app")
	import http.cookiejar
	import io

	import boto3
	import botocore


	class S3CookieJar(http.cookiejar.LWPCookieJar):
	bucket = None
	filename = None
	Only really tested on Ubuntu 16.04

	Requirements:
	* Two Linux systems (one to send traffic, one to receive)
	* Network connectivity over UDP 4789

	Sender Setup
	* Install daemonlogger (sudo apt install daemonlogger)
	* Save systemd service config as /etc/systemd/system/daemonlogger@.service (replace X.X.X.X with IP of receiver)
	* Reload systemd (sudo systemctl daemon-reload)
	################################################################################
	# Domain Blacklist Rules: https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt
	################################################################################
	################################################################################
	# URL Blacklist Rules: https://ransomwaretracker.abuse.ch/downloads/RW_URLBL.txt
	################################################################################
	#!/usr/sbin/nft -f
	flush ruleset
	add table inet filter
	add chain inet filter input { type filter hook input priority 0 ; policy accept ; }
	add chain inet filter output { type filter hook output priority 0 ; policy accept ; }
	add chain inet filter forward { type filter hook forward priority 0 ; policy accept ; }
	add chain inet filter floating
	add chain inet filter wan
	add chain inet filter vlan2
	add chain inet filter vlan15