View corelight-logs.schema.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"$schema": "http://json-schema.org/draft-07/schema#", | |
"$id": "https://corelight.com/software-sensor.schema.json", | |
"title": "Corelight Logs", | |
"description": "Definition of all of the potential logs for this installation", | |
"definitions": { | |
"time": {"type": "string", "pattern": "[0-9]{4}-[0-1][0-9]-[0-3][0-9]T[0-2][0-9]:[0-5][0-9]:[0-5][0-9]\\.?[0-9]{0,6}Z"}, | |
"port": {"type": "integer", "minimum": 0, "maximum": 65535}, | |
"count": {"type": "integer", "minimum": 0, "maximum": 18446744073709551615}, | |
"int": {"type": "integer", "minimum": -9223372036854775807, "maximum": 9223372036854775807}, |
View bu-everywhere.zeek
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
##! Add Business Unit to all logs with an "id" field. | |
module BusinessUnit; | |
export { | |
option BusinessUnit::networks: table[subnet] of string = set(); | |
} | |
redef record conn_id += { | |
## The business unit seen as the connection originator. |
View gist:b23ebe5e73c9585fbbdff3628f53b6ae
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function next_interval(i: interval): interval | |
{ | |
local now = current_time(); | |
local ii = double_to_count(interval_to_double(i)); | |
local sofar = double_to_count(time_to_double(now)) % ii; | |
local togo = ii - sofar; | |
local dur = double_to_interval(togo); | |
return dur; | |
} |
View mandelbrot.zeek
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
const stdout = open("/dev/stdout") &raw_output; | |
const WIDTH = 80; | |
const HEIGHT = 25; | |
const characters = vector(" ", ".", ":", "-", "#", "o", "*", ">");#, ")", #, "|", "&", "I", "H", "%", "*", "#"); | |
function CalculateRow(y: double, factor: double, shiftRight: double) | |
{ | |
local output: vector of string = vector(); | |
local XCenter = -0.45; |
View http-more-files-names.bro
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
redef record HTTP::Info += { | |
potential_fname: string &optional; | |
}; | |
event http_request(c: connection, method: string, original_URI: string, | |
unescaped_URI: string, version: string) &priority=5 | |
{ | |
# Get rid of uri arguments | |
local path = split_string(c$http$uri, /\?/)[0]; |
View icmp-latency.bro
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
global watching_icmp: table[conn_id, count] of time &create_expire=3secs; | |
event icmp_echo_request(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string) | |
{ | |
watching_icmp[c$id, seq] = network_time(); | |
} | |
event icmp_echo_reply(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string) | |
{ | |
if ( [c$id, seq] !in watching_icmp ) |
View no-cert-parsing.bro
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
##! This script is to avoid CVE-2015-1788 which is explained in | |
##! detail at http://jpb.io. It is a denial of service against | |
##! OpenSSL which will cause Bro processes to lock up. | |
##! WARNING - This script should only be used temporarily until | |
##! your OpenSSL library is upgraded. This script can | |
##! then be removed. | |
@if( /2\.3/ in bro_version() ) | |
event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=-100 |
View gist:6ec210d99736bd54c351
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
diff --git a/src/file_analysis/File.cc b/src/file_analysis/File.cc | |
index d0b1ea2..c1e5e3d 100644 | |
--- a/src/file_analysis/File.cc | |
+++ b/src/file_analysis/File.cc | |
@@ -505,10 +505,12 @@ void File::EndOfFile() | |
if ( ! bof_buffer.full ) | |
{ | |
DBG_LOG(DBG_FILE_ANALYSIS, "[%s] File over but bof_buffer not full.", id.c_str()); | |
- bof_buffer.full = true; | |
+ bof_buffer.full = true; |
View bro-script-to-end-all-bro-scripts.bro
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Detect bad guys |
View gif.pac2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
module GIF; | |
import BinPAC; | |
type Header = unit { | |
%byteorder = BinPAC::ByteOrder::Little; | |
signature : bytes &length=3; #This needs to either be a literal b"GIF" or have a &check attribute when that exists | |
version : bytes &length=3; |
NewerOlder