This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"$schema": "http://json-schema.org/draft-07/schema#", | |
"$id": "https://corelight.com/software-sensor.schema.json", | |
"title": "Corelight Logs", | |
"description": "Definition of all of the potential logs for this installation", | |
"definitions": { | |
"time": {"type": "string", "pattern": "[0-9]{4}-[0-1][0-9]-[0-3][0-9]T[0-2][0-9]:[0-5][0-9]:[0-5][0-9]\\.?[0-9]{0,6}Z"}, | |
"port": {"type": "integer", "minimum": 0, "maximum": 65535}, | |
"count": {"type": "integer", "minimum": 0, "maximum": 18446744073709551615}, | |
"int": {"type": "integer", "minimum": -9223372036854775807, "maximum": 9223372036854775807}, |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
##! Add Business Unit to all logs with an "id" field. | |
module BusinessUnit; | |
export { | |
option BusinessUnit::networks: table[subnet] of string = set(); | |
} | |
redef record conn_id += { | |
## The business unit seen as the connection originator. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function next_interval(i: interval): interval | |
{ | |
local now = current_time(); | |
local ii = double_to_count(interval_to_double(i)); | |
local sofar = double_to_count(time_to_double(now)) % ii; | |
local togo = ii - sofar; | |
local dur = double_to_interval(togo); | |
return dur; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
const stdout = open("/dev/stdout") &raw_output; | |
const WIDTH = 80; | |
const HEIGHT = 25; | |
const characters = vector(" ", ".", ":", "-", "#", "o", "*", ">");#, ")", #, "|", "&", "I", "H", "%", "*", "#"); | |
function CalculateRow(y: double, factor: double, shiftRight: double) | |
{ | |
local output: vector of string = vector(); | |
local XCenter = -0.45; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
redef record HTTP::Info += { | |
potential_fname: string &optional; | |
}; | |
event http_request(c: connection, method: string, original_URI: string, | |
unescaped_URI: string, version: string) &priority=5 | |
{ | |
# Get rid of uri arguments | |
local path = split_string(c$http$uri, /\?/)[0]; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@load base/protocols/http | |
module HTTPTitleRipper; | |
export { | |
## The depth to search for titles in HTTP response bodies. | |
const search_depth = 10000; | |
redef record HTTP::Info += { | |
## A title from the webpage. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
redef record fa_file += { | |
is_my_extractor_going: bool &default=F; | |
}; | |
event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) | |
{ | |
if ( !f$is_my_extractor_going ) | |
{ | |
f$is_my_extractor_going=T; | |
if ( f$source == "HTTP" && is_orig == F ) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
##! Extract and include the header names used for each request in the HTTP | |
##! logging stream. The headers in the logging stream will be stored in the | |
##! same order which they were seen on the wire. | |
@load base/protocols/http/main | |
module HTTP; | |
export { | |
redef record Info += { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
redef record fa_file += { | |
is_my_extractor_going: bool &default=F; | |
}; | |
event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) | |
{ | |
if ( !f$is_my_extractor_going ) | |
{ | |
f$is_my_extractor_going=T; | |
if ( f$source == "HTTP" && is_orig == F ) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Detect bad guys |
NewerOlder