Skip to content

Instantly share code, notes, and snippets.

View regit's full-sized avatar

Eric Leblond regit

165 followers · 27 following
View GitHub Profile
@regit
regit / gist:3263cf673cbffbf7bbb58c009fd5d93d
Created June 28, 2022 12:26
JQ command to extract domain, authenticated user, associated IPs from Suricata logs
cat eve.json | jq -r 'select(.event_type=="smb" and .smb.ntlmssp.user and .smb.ntlmssp.user!="" and .smb.status_code=="0x0" and .smb.ntlmssp.host!=.smb.ntlmssp.domain)| [ .smb.ntlmssp.domain, .smb.ntlmssp.user, .src_ip ] | @csv' | sort | uniq >users.csv
@regit
regit / sobind
Created November 28, 2018 20:29
Sobind: a eBPF script to detect network bind attempt
#! /usr/bin/python2
#
# sobind Trace TCP bind events
# For Linux, uses BCC, eBPF. Embedded C.
#
# USAGE: sobind.py [-h] [-p PID] [--show-netns]
#
# This is provided as a basic example of TCP connection & socket tracing.
# It could be useful in scenarios where load balancers needs to be updated
# dynamically as application is fully initialized.
@regit
regit / dns.json
Created August 2, 2017 15:26
{
"dns": {
"type": "answer",
"id": 10451,
"rcode": "NOERROR",
"rrname": "time.windows.com",
"ttl": 2755,
"rrtype": [
"A",
"CNAME"
@regit
regit / Cocci test for uint
Created July 14, 2017 16:58
@uint@
uint i;
position p1;
@@
i@p1
@script:python@
p1 << uint.p1;
@@
@regit
regit / memset.cocci
Created April 26, 2017 11:56
Checking memset
@malloced@
expression x;
position p1;
identifier func =~ "(calloc|malloc)";
@@
x@p1 = func(...)
@memset depends on malloced exists@
expression x;
@regit
regit / metadata usage in snort ruleset
Created April 21, 2017 12:21
\item policy balanced-ips alert
\item policy balanced-ips drop
\item policy connectivity-ips alert
\item policy connectivity-ips drop
\item policy max-detect-ips alert
\item policy max-detect-ips drop
\item policy security-ips alert
\item policy security-ips drop
\item ruleset community
\item service (dcerpc|imap|\ldots)
@regit
regit / Suricata-SSLv3
Created October 15, 2014 10:24
Suricata Kibana Dashboard for SSLv3
{
"index": {
"default": "NO_TIME_FILTER_OR_INDEX_PATTERN_NOT_MATCHED",
"pattern": "[logstash-]YYYY.MM.DD",
"warm_fields": true,
"interval": "day"
},
"style": "dark",
"rows": [
{
@regit
regit / ssh-analysis-kibana
Last active August 7, 2019 21:27
SSH analysis dashboard
{
"title": "SSH analysis",
"services": {
"query": {
"list": {
"0": {
"query": "message:\"Invalid user\" AND sshd",
"alias": "Failed login",
"color": "#BF1B00",
"id": 0,
@regit
regit / Netfilter-dashboard
Created March 23, 2014 14:49
Netfilter Kibana Dashboard
{
"title": "Netfilter Logs",
"services": {
"query": {
"list": {
"0": {
"query": "dvc:*",
"alias": "Netfilter",
"color": "#7EB26D",
"id": 0,
@regit
regit / Suricata dashboard
Last active August 29, 2020 20:41
A sample Kibana dashboard using Suricata JSON output.
{
"title": "Suricata EVE Dashboard",
"services": {
"query": {
"list": {
"0": {
"query": "event_type:http",
"alias": "HTTP",
"color": "#7EB26D",
"id": 0,