Skip to content

Instantly share code, notes, and snippets.

View reyjrar's full-sized avatar

Brad Lhotsky reyjrar

153 followers · 131 following
View GitHub Profile
@reyjrar
reyjrar / ossec-ar-filename.patch
Last active December 17, 2015 19:58
commit 47f1803471ec4c8f9c69c42680019bc002ef304b
Author: Brad Lhotsky <brad.lhotsky@booking.com>
Date: Tue May 28 17:59:21 2013 +0200
Active response was not passing the filename in file events, ie,
syscheck. The Eventinfo struct only included file data for builds with
Prelude integration. This prevented the AR from handing filename off
anyways.
* Eventinfo now contains file data always
* Added *expect* option for 'filename'
@reyjrar
reyjrar / os_shell_escape.c
Created May 28, 2013 15:54
Implement shell escaping, relies on caller to clean up the memory for the escaped string.
/* Escape a set of characters */
char *os_shell_escape(const char *src) {
// Maximum Length of the String is 2xthe current length
char shell_escapes[] = { '\\', '"', '\'', ' ', '\t', ';', '`', '>', '<', '|', '#',
'*', '[', ']', '{', '}', '&', '$', '!', ':', '(', ')' };
char *escaped_string;
int length = 0;
int i = 0;
@reyjrar
reyjrar / logstash-template.json
Last active July 4, 2018 14:39
Template for logstash indexes
{
"template": "logstash-*",
"settings" : {
"index.number_of_shards" : 3,
"index.number_of_replicas" : 1,
"index.query.default_field" : "@message",
"index.routing.allocation.total_shards_per_node" : 2,
"index.auto_expand_replicas": false
},
"mappings": {
@reyjrar
reyjrar / elasticsearch.yml
Last active May 12, 2023 11:58
ElasticSearch config for a write-heavy cluster
##################################################################
# /etc/elasticsearch/elasticsearch.yml
#
# Base configuration for a write heavy cluster
#
# Cluster / Node Basics
cluster.name: logng
# Node can have abritrary attributes we can use for routing
@reyjrar
reyjrar / ossec-accumulator-2.7.0.patch
Created November 26, 2012 20:17
OSSEC Accumulator Patch against 2.7.0
diff --git a/etc/decoder.xml b/etc/decoder.xml
index a7846ad..1087918 100755
--- a/etc/decoder.xml
+++ b/etc/decoder.xml
@@ -1841,6 +1841,7 @@
</decoder>
<!-- decoder for active responses as logged by an OSSEC agent or server
+
- Examples
@reyjrar
reyjrar / dnswindowing.sql
Created November 4, 2012 20:10
PostgreSQL Windowing Functions
select
srv.id,
srv.ip,
r.opcode,
r.status,
count(1) as queries,
sum(count(1)) OVER (PARTITION BY r.server_id) as total
from packet_response r
inner join server srv on r.server_id = srv.id
@reyjrar
reyjrar / client_by_network.sql
Created October 14, 2012 10:20
Grouping IP's by /24's in PgSQL
select
CAST(regexp_replace( CAST( ip | inet '0.0.0.255' as TEXT), '255/32$', '0') || '/24' as inet) as network,
regexp_replace( CAST( ip | inet '0.0.0.255' as TEXT), '255/32$', '0') as network_addr,
count(1) as clients,
to_char(min(first_ts), 'YYYY-MM-DD HH24:MI') as first_ts,
to_char(max(last_ts), 'YYYY-MM-DD HH24:MI') as last_ts,
bool_or(is_local) as is_local
from client
group by ip | inet '0.0.0.255'
@reyjrar
reyjrar / rsyslog.conf
Created September 17, 2012 14:00
Rsyslog Client Configuration for ondisk caching to central server
# Rsyslog Defaults
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$WorkDirectory /var/run/rsyslog # Default Location for Work Files
# Modules
$ModLoad immark
$ModLoad imklog
$ModLoad imuxsock
# Local Logging
@reyjrar
reyjrar / mercurial-to-git.sh
Created September 10, 2012 13:09
How I work with mercurial!
#!/bin/sh
BASEDIR=$HOME/code/project
UPSTREAM="$BASEDIR/upstream"
WORKING="$BASEDIR/working"
RSYNC_OPTS=""
(( $DEBUG )) && RSYNC_OPTS="--dry-run -v"
cd $UPSTREAM;
@reyjrar
reyjrar / accumulate.c
Created August 28, 2012 15:41
incomplete C code I'm workign on for adding accumulation of attributes to OSSEC-HIDS
int Accumulate(Eventinfo *lf)
{
// Declare our variables
bool do_update = false;
char _key[OS_ACM_MAXKEY];
char _data[OS_ACM_MAXDATA];
char hashed_line[OS_ACM_MAXDATA];
char hash_buffer[OS_ACM_MAXELM];