Nate Guagenti neu5ron

## dynamic-dns.txt
3d-game.com #dtdns.com
4irc.com #dtdns.com
b0ne.com #dtdns.com
bbsindex.com #dtdns.com
chatnook.com #dtdns.com
darktech.org #dtdns.com
deaftone.com #dtdns.com
dtdns.net #dtdns.com
effers.com #dtdns.com
etowns.net #dtdns.com

## valid_domain_name_regex
domain_regex = r'(([\da-zA-Z])([_\w-]{,62})\.){,127}(([\da-zA-Z])[_\w-]{,61})?([\da-zA-Z]\.((xn\-\-[a-zA-Z\d]+)|([a-zA-Z\d]{2,})))'

#Python
domain_regex = '{0}$'.format(domain_regex)
valid_domain_name_regex = re.compile(domain_regex, re.IGNORECASE)
self.domain_name = self.domain_name.lower().strip().encode('ascii')
if re.match(valid_domain_name_regex, self.domain_name ):
    return True
else:
    return False

## dynamic-dns-providers
dynu.com
dyn.com
no-ip.com
noip.com
changeip.com
afraid.org
duckdns.org
dnsdynamic.org
duiadns.net
myonlineportal.com

## keybase.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                neu5ron
                / keybase.md
            
            
              Created
              October 14, 2016 17:41
            
          
    Keybase proof

I hereby claim:

I am neu5ron on github.
I am neu5ron (https://keybase.io/neu5ron) on keybase.
I have a public key whose fingerprint is 6A0E 02A4 E191 1C10 DAB4  F257 C2E9 3D96 A895 5C05

To claim this, I am signing this object:

  
## nxlog-cuckoo-to-logstash.conf
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _json>

## DNSCrypt Ubuntu;OpenDNS Crypt
sudo apt-get -y install build-essential checkinstall  automake libtool pkg-config;
wget -O libsodium.tar.gz https://download.libsodium.org/libsodium/releases/LATEST.tar.gz
mkdir libsodium && tar -zxvf libsodium.tar.gz -C libsodium --strip-components=1;
cd libsodium;
chmod +x configure && sh ./configure;
make;
sudo make install;
sudo ldconfig;
cd ../;
wget -O dnscrypt.tar.gz https://download.dnscrypt.org/dnscrypt-proxy/LATEST.tar.gz;

## 511-windows-event-powershell-operational.conf
filter {

    if [@meta][log][type] == "windows-wef" {

        # PowerShell Operational Only
        if [Channel] == "Microsoft-Windows-PowerShell/Operational" {

            # EventID 4103
            if [EventID] == 4103 {

## example 4663 wef subscription for canary files
<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
                 *[EventData[Data[@Name='ObjectName'] and (Data='C:\Users\Public\Documents\new-login-information.txt')]]
                 and
                 *[System[(EventID='4663')]]
               </Select>
  </Query>
</QueryList>

## nxlog-config-for-wef-server.conf
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _json>

## additional_http_headers-main.bro
module HTTP;

# Add additional HTTP Headers
redef record Info += {
  #Origin "Origin"
  origin:       string  &log &optional;
};


event http_header(c: connection, is_orig: bool, name: string, value: string) &priority=5
	3d-game.com #dtdns.com
	4irc.com #dtdns.com
	b0ne.com #dtdns.com
	bbsindex.com #dtdns.com
	chatnook.com #dtdns.com
	darktech.org #dtdns.com
	deaftone.com #dtdns.com
	dtdns.net #dtdns.com
	effers.com #dtdns.com
	etowns.net #dtdns.com
	domain_regex = r'(([\da-zA-Z])([_\w-]{,62})\.){,127}(([\da-zA-Z])[_\w-]{,61})?([\da-zA-Z]\.((xn\-\-[a-zA-Z\d]+)\|([a-zA-Z\d]{2,})))'

	#Python
	domain_regex = '{0}$'.format(domain_regex)
	valid_domain_name_regex = re.compile(domain_regex, re.IGNORECASE)
	self.domain_name = self.domain_name.lower().strip().encode('ascii')
	if re.match(valid_domain_name_regex, self.domain_name ):
	return True
	else:
	return False
	dynu.com
	dyn.com
	no-ip.com
	noip.com
	changeip.com
	afraid.org
	duckdns.org
	dnsdynamic.org
	duiadns.net
	myonlineportal.com
	#define ROOT C:\Program Files\nxlog
	define ROOT C:\Program Files (x86)\nxlog

	Moduledir %ROOT%\modules
	CacheDir %ROOT%\data
	Pidfile %ROOT%\data\nxlog.pid
	SpoolDir %ROOT%\data
	LogFile %ROOT%\data\nxlog.log

	<Extension _json>
	sudo apt-get -y install build-essential checkinstall automake libtool pkg-config;
	wget -O libsodium.tar.gz https://download.libsodium.org/libsodium/releases/LATEST.tar.gz
	mkdir libsodium && tar -zxvf libsodium.tar.gz -C libsodium --strip-components=1;
	cd libsodium;
	chmod +x configure && sh ./configure;
	make;
	sudo make install;
	sudo ldconfig;
	cd ../;
	wget -O dnscrypt.tar.gz https://download.dnscrypt.org/dnscrypt-proxy/LATEST.tar.gz;
	filter {

	if [@meta][log][type] == "windows-wef" {

	# PowerShell Operational Only
	if [Channel] == "Microsoft-Windows-PowerShell/Operational" {

	# EventID 4103
	if [EventID] == 4103 {
	<QueryList>
	<Query Id="0" Path="Security">
	<Select Path="Security">
	*[EventData[Data[@Name='ObjectName'] and (Data='C:\Users\Public\Documents\new-login-information.txt')]]
	and
	*[System[(EventID='4663')]]
	</Select>
	</Query>
	</QueryList>
	module HTTP;

	# Add additional HTTP Headers
	redef record Info += {
	#Origin "Origin"
	origin: string &log &optional;
	};


	event http_header(c: connection, is_orig: bool, name: string, value: string) &priority=5