Skip to content

Instantly share code, notes, and snippets.

View sethhall's full-sized avatar

Seth Hall sethhall

221 followers · 13 following
View GitHub Profile
@sethhall
sethhall / bro-output-plugin-barnyard2-1.9-beta1.diff
Created September 15, 2010 20:50
diff --git a/configure.in b/configure.in
index c820a9a..d754ed9 100644
--- a/configure.in
+++ b/configure.in
@@ -928,6 +928,43 @@ if test "x$enable_aruba" = "xyes"; then
CPPFLAGS="$CPPFLAGS -DARUBA"
fi
+AC_ARG_ENABLE(bro,
+[ --enable-bro Enable Bro output plugin],
@sethhall
sethhall / gist:651616
Created October 28, 2010 15:40
Bro-IDS Output from syslog policy script.
ts orig_h orig_p resp_h resp_p facility severity msg
1260226618.22805 192.168.1.2 44457 192.168.1.101 514 DAEMON NOTICE Dec 7 14:58:31 SEL-3620B Login: Login successful by: admin at 192.168.1.101^J
@sethhall
sethhall / cluster-layout.bro
Created July 8, 2011 18:36
Example cluster-layout.bro
redef Cluster::nodes = {
["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=47757/tcp, $workers=set("worker-1")],
["proxy-1"] = [$node_type=Cluster::PROXY, $ip=127.0.0.1, $p=47758/tcp, $manager="manager-1", $workers=set("worker-1")],
["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=47759/tcp, $proxy="proxy-1", $manager="manager-1", $interface="eth1"],
["control"] = [$node_type=Cluster::CONTROL, $ip=127.0.0.1, $p=47761/tcp],
["time-machine"] = [$node_type=Cluster::TIME_MACHINE, $ip=127.0.0.1, $p=47762/tcp],
};
@sethhall
sethhall / gist:3248309
Created August 3, 2012 14:49
hello world in Bro.
event bro_init()
{
print "hello world!";
}
@sethhall
sethhall / gist:4005673
Created November 3, 2012 03:11
Example Bro HTTP API
module ActiveHTTP;
export {
## The default timeout for HTTP requests.
const default_request_timeout = 1min &redef;
## The default HTTP method/verb to use for requests.
const default_method = "GET" &redef;
type Request: record {
@sethhall
sethhall / gist:4221576
Created December 6, 2012 03:22
MS Cert Store parser
module MSCerts;
%byteorder=BinPAC::ByteOrder::Little;
type SerializedPropertyEntry = unit {
id : uint32;
encodingType : uint32;
len : uint32;
value : bytes &length=self.len;
@sethhall
sethhall / gist:4952723
Created February 14, 2013 13:19
"tlsdate -v" output on MacOS X.8
V: tlsdate version 0.0.6
V: We were called with the following arguments:
V: validate SSL certificates host = www.ptb.de:443
V: time is currently 1360847906.161771000
V: time is greater than RECENT_COMPILE_DATE
V: using TLSv1_client_method()
V: Using OpenSSL for SSL
V: opening socket to www.ptb.de:443
V: certificate verification passed
V: commonName matched: www.ptb.de
@sethhall
sethhall / gist:5093794
Created March 5, 2013 20:07
local a = Metrics::create_measurement("apps.bytes", [$measure=set(Metrics::SUM)]);
local b = Metrics::create_measurement("apps.hits", [$measure=set(Metrics::UNIQUE)]);
Metrics::create_metric([$every=break_interval, $measurements=set(a, b),
$period_finished(ts: time, metric_name: string, filter_name: string, data: Metrics::MetricTable) =
{
print "woo";
}]);
@sethhall
sethhall / lots-of-dns.bro
Created April 10, 2013 16:33
This is a quick script using the measurement framework in Bro to watch for too many unique DNS requests from a single host. At this point in time this code doesn't even work in git master (but it does work!).
module DNS;
export {
redef enum Notice::Type += {
## We saw a lot of unique DNS requests!
DNS::Too_Much_Unique_DNS,
};
}
@sethhall
sethhall / file_analysis_test.bro
Created April 11, 2013 16:51
event file_windows_pe_dosstub(f: fa_file, checksum: count)
{
print fmt("pe header offset: %d", checksum);
}
event file_windows_pe_timestamp(f: fa_file, ts: time)
{
print fmt("timestamp! %D", ts);
print f$mime_type;
}