Seth Hall sethhall

## corelight-logs.schema.json
{
  "$schema": "http://json-schema.org/draft-07/schema#",
  "$id": "https://corelight.com/software-sensor.schema.json",
  "title": "Corelight Logs",
  "description": "Definition of all of the potential logs for this installation",
  "definitions": {
    "time": {"type": "string", "pattern": "[0-9]{4}-[0-1][0-9]-[0-3][0-9]T[0-2][0-9]:[0-5][0-9]:[0-5][0-9]\\.?[0-9]{0,6}Z"},
    "port": {"type": "integer", "minimum": 0, "maximum": 65535},
    "count": {"type": "integer", "minimum": 0, "maximum": 18446744073709551615},
    "int": {"type": "integer", "minimum": -9223372036854775807, "maximum": 9223372036854775807},

## bu-everywhere.zeek
##! Add Business Unit to all logs with an "id" field.

module BusinessUnit;

export {
        option BusinessUnit::networks: table[subnet] of string = set();
}

redef record conn_id += {
        ## The business unit seen as the connection originator.

## gist:b23ebe5e73c9585fbbdff3628f53b6ae
function next_interval(i: interval): interval
    {
    local now = current_time();
    local ii = double_to_count(interval_to_double(i));
    local sofar = double_to_count(time_to_double(now)) % ii;
    local togo = ii - sofar;
    local dur = double_to_interval(togo);
    return dur;
    }

## mandelbrot.zeek
const stdout = open("/dev/stdout") &raw_output;

const WIDTH = 80;
const HEIGHT = 25;

const characters = vector(" ", ".", ":", "-", "#", "o", "*", ">");#, ")", #, "|", "&", "I", "H", "%", "*", "#");
function CalculateRow(y: double, factor: double, shiftRight: double)
	{
	local output: vector of string = vector();
	local XCenter = -0.45;

## http-more-files-names.bro

redef record HTTP::Info += {
	potential_fname: string &optional;
};

event http_request(c: connection, method: string, original_URI: string,
                   unescaped_URI: string, version: string) &priority=5
	{
	# Get rid of uri arguments
	local path = split_string(c$http$uri, /\?/)[0];

## http-title-ripper.bro
@load base/protocols/http

module HTTPTitleRipper;

export {
	## The depth to search for titles in HTTP response bodies.
	const search_depth = 10000;

	redef record HTTP::Info += {
		## A title from the webpage.

## myextract.bro
redef record fa_file += {
	is_my_extractor_going: bool &default=F;
};

event file_over_new_connection(f: fa_file, c: connection, is_orig: bool)
	{
	if ( !f$is_my_extractor_going )
		{
		f$is_my_extractor_going=T;
		if ( f$source == "HTTP" && is_orig == F )

## http-header-logs.bro
##! Extract and include the header names used for each request in the HTTP
##! logging stream.  The headers in the logging stream will be stored in the
##! same order which they were seen on the wire.

@load base/protocols/http/main

module HTTP;

export {
	redef record Info += {

## myextract-with-domain.bro
redef record fa_file += {
	is_my_extractor_going: bool &default=F;
};

event file_over_new_connection(f: fa_file, c: connection, is_orig: bool)
	{
	if ( !f$is_my_extractor_going )
		{
		f$is_my_extractor_going=T;
		if ( f$source == "HTTP" && is_orig == F )

## bro-script-to-end-all-bro-scripts.bro
# Detect bad guys
	{
	"$schema": "http://json-schema.org/draft-07/schema#",
	"$id": "https://corelight.com/software-sensor.schema.json",
	"title": "Corelight Logs",
	"description": "Definition of all of the potential logs for this installation",
	"definitions": {
	"time": {"type": "string", "pattern": "[0-9]{4}-[0-1][0-9]-[0-3][0-9]T[0-2][0-9]:[0-5][0-9]:[0-5][0-9]\\.?[0-9]{0,6}Z"},
	"port": {"type": "integer", "minimum": 0, "maximum": 65535},
	"count": {"type": "integer", "minimum": 0, "maximum": 18446744073709551615},
	"int": {"type": "integer", "minimum": -9223372036854775807, "maximum": 9223372036854775807},
	##! Add Business Unit to all logs with an "id" field.

	module BusinessUnit;

	export {
	option BusinessUnit::networks: table[subnet] of string = set();
	}

	redef record conn_id += {
	## The business unit seen as the connection originator.
	function next_interval(i: interval): interval
	{
	local now = current_time();
	local ii = double_to_count(interval_to_double(i));
	local sofar = double_to_count(time_to_double(now)) % ii;
	local togo = ii - sofar;
	local dur = double_to_interval(togo);
	return dur;
	}
	const stdout = open("/dev/stdout") &raw_output;

	const WIDTH = 80;
	const HEIGHT = 25;

	const characters = vector(" ", ".", ":", "-", "#", "o", "", ">");#, ")", #, "\|", "&", "I", "H", "%", "", "#");
	function CalculateRow(y: double, factor: double, shiftRight: double)
	{
	local output: vector of string = vector();
	local XCenter = -0.45;

	redef record HTTP::Info += {
	potential_fname: string &optional;
	};

	event http_request(c: connection, method: string, original_URI: string,
	unescaped_URI: string, version: string) &priority=5
	{
	# Get rid of uri arguments
	local path = split_string(c$http$uri, /\?/)[0];
	@load base/protocols/http

	module HTTPTitleRipper;

	export {
	## The depth to search for titles in HTTP response bodies.
	const search_depth = 10000;

	redef record HTTP::Info += {
	## A title from the webpage.
	redef record fa_file += {
	is_my_extractor_going: bool &default=F;
	};

	event file_over_new_connection(f: fa_file, c: connection, is_orig: bool)
	{
	if ( !f$is_my_extractor_going )
	{
	f$is_my_extractor_going=T;
	if ( f$source == "HTTP" && is_orig == F )