Seth Hall sethhall

## ident-files.bro

const DIR="" &redef;

@load base/utils/dir
@load frameworks/files/hash-all-files

redef exit_only_after_terminate=T;

event bro_init()
	{

## gist:8b774afd4946757c93f8
# Jason Batchelor Edits, 9/19/2014
# Signatures informed by the following resource
# http://www.garykessler.net/library/file_sigs.html
signature file-olecf {
file-magic /(\xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1)/
file-mime "application/olecf", 150
}
signature file-ooxml {
file-magic /(\x50\x4b\x03\x04\x14\x00\x06\x00)/
file-mime "application/vnd.openxmlformats-officedocument", 100

## keybase.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                sethhall
                / keybase.md
            
            
              Created
              September 18, 2014 02:31
            
          
    Keybase proof

I hereby claim:

I am sethhall on github.
I am remor (https://keybase.io/remor) on keybase.
I have a public key whose fingerprint is 421B 904C FF8C 56F0 D94C  88EB C4B7 768B D10C DBD5

To claim this, I am signing this object:

  
## bro-exchange-update-watcher.bro

redef exit_only_after_terminate = T;

module BroExchangeWatch;

export {
	redef enum Notice::Type += {
		Woo,
	};
}

## http-add-post-to-log.bro

redef record HTTP::Info += {
	post_body: string &optional &log;
};

redef record fa_file += {
	http_log: HTTP::Info &optional;
};

event http_get_post_body(f: fa_file, data: string)

## gist:11401477
#!/bin/bash

available_governors=$(cat /sys/devices/system/cpu/cpu*/cpufreq/scaling_available_governors \
            | head -1 | sed -e 's/ \([a-zA-Z0-9]\)/|\1/g' -e 's/ $//')
if [ $# -ne 1 ]
then

   echo "USAGE: $0 [$available_governors]"
fi

## gist:11384034
1398506591.523781       CsXIjO1BWbvfZpbnha      209.126.230.74  17193   x.x.x.x    443     -     --       tcp     Heartbleed::SSL_Heartbeat_Attack        An TLS heartbleed attack was detected! Record length 3, payload length 16384    -       209.126.230.74 x.x.x.x    443     -       worker1-10       Notice::ACTION_LOG      3600.000000     F       -       -       -       -       -

## conn.log
#separator \x09
#set_separator	,
#empty_field	(empty)
#unset_field	-
#path	conn
#open	2014-04-12-23-52-22
#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
1397349488.146539	CgiXSR3iafr2IvmXH8	96.25.174.16	12929	107.170.194.215	443	tcp	ssl	4.071024	606	72872	S1	-	0	ShADad	39	2322	57	75164	(empty)
#close	2014-04-12-23-52-22

## conn.log
#separator \x09
#set_separator	,
#empty_field	(empty)
#unset_field	-
#path	conn
#open	2014-04-11-02-09-00
#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
1397163796.404676	Cojr4LYR0U4FkAT2i	192.168.11.130	57534	192.168.11.128	443	tcp	ssl	0.020171	463	51011	RSTO	-	0	ShADadR	24	1635	41	53151	(empty)
#close	2014-04-11-02-09-00

## conn.log
#separator \x09
#set_separator	,
#empty_field	(empty)
#unset_field	-
#path	conn
#open	2014-04-10-21-40-58
#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
1397173677.295334	CRVrQz4kM8bETkZAd9	10.20.30.165	5353	224.0.0.251	5353	udp	dns	3.000172	120	0	S0	-	0	D	3	204	0	0	(empty)
1397173669.761904	C0oDrV3mAS653MpdGh	10.20.30.157	53669	10.20.30.165	443	tcp	ssl	2.133122	257	5015	S1	-	0	ShADd	13	777	11	5459	(empty)

	const DIR="" &redef;

	@load base/utils/dir
	@load frameworks/files/hash-all-files

	redef exit_only_after_terminate=T;

	event bro_init()
	{
	# Jason Batchelor Edits, 9/19/2014
	# Signatures informed by the following resource
	# http://www.garykessler.net/library/file_sigs.html
	signature file-olecf {
	file-magic /(\xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1)/
	file-mime "application/olecf", 150
	}
	signature file-ooxml {
	file-magic /(\x50\x4b\x03\x04\x14\x00\x06\x00)/
	file-mime "application/vnd.openxmlformats-officedocument", 100

	redef exit_only_after_terminate = T;

	module BroExchangeWatch;

	export {
	redef enum Notice::Type += {
	Woo,
	};
	}

	redef record HTTP::Info += {
	post_body: string &optional &log;
	};

	redef record fa_file += {
	http_log: HTTP::Info &optional;
	};

	event http_get_post_body(f: fa_file, data: string)
	#!/bin/bash

	available_governors=$(cat /sys/devices/system/cpu/cpu*/cpufreq/scaling_available_governors \
	\| head -1 \| sed -e 's/ \([a-zA-Z0-9]\)/\|\1/g' -e 's/ $//')
	if [ $# -ne 1 ]
	then

	echo "USAGE: $0 [$available_governors]"
	fi
	#separator \x09
	#set_separator ,
	#empty_field (empty)
	#unset_field -
	#path conn
	#open 2014-04-12-23-52-22
	#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
	#types time string addr port addr port enum string interval count count string bool count string count count count count set[string]
	1397349488.146539 CgiXSR3iafr2IvmXH8 96.25.174.16 12929 107.170.194.215 443 tcp ssl 4.071024 606 72872 S1 - 0 ShADad 39 2322 57 75164 (empty)
	#close 2014-04-12-23-52-22