ssstonebraker

ElasticSearch 5.6 Cheatsheet

Node Decomission

If you need to decomission a node the first thing you should do is transfer all shards from it to other nodes

Start Moving all Shards off a node

This command will tell ElasticSearch to:

1. Stop sending new shards to node 10.0.0.1
2. Move all existing shards on node 10.0.0.1 to other nodes in the cluster

ssstonebraker

{"severity":2,"customFields":{},"description":"Case Created from a MISP event","tags":["misp","from-misp-event"],"name":"MISP-EVENT","tlp":2,"titlePrefix":"[MISP]","metrics":{},"pap":2,"tasks":[{"title":"Scratchpad","order":0,"group":"Scratchpad"},{"title":"Peers & Partners","order":1,"group":"Comms"},{"title":"Other","order":2,"group":"Comms"},{"title":"Detection && Identification","order":3,"group":"IR-Step2"},{"title":"Analysis && Digital Forensics","order":4,"group":"IR-Step2"},{"title":"Containment","order":5,"group":"IR-Step3"},{"title":"Eradication","order":6,"group":"IR-Step4"},{"title":"Recovery","order":7,"group":"IR-Step5"},{"title":"Lessons Learned","order":8,"group":"IR-Step6"}],"status":"Ok"}

ssstonebraker

#!/bin/bash
# Filename: showdupes.sh
# source: http://brakertech.com/compare-two-files-and-print-lines-that-match/
# this file takes two text files as input
# sorts them and outputs lines from
# file 2 that match file 1

if [ -f "$1" ] && [ -f "$2" ]
then
    awk 'NR==FNR{arr[$0];next} $0 in arr' $1.tmp $2.tmp;

ssstonebraker

https://attack.mitre.org/wiki/ATT&CK_Matrix


Convert pcapng to pcapng
 tshark -F pcap -r /Users/sstonebraker/Downloads/capture_ilch1dc02p.pcapng -w /Users/sstonebraker/Downloads/capture_ilch1dc02p.pcap


 recursively convert pcapng files to pcap
 find . -type f -name '*.pcapng' -print0 | while IFS= read -r -d '' f; do tshark -F pcap -r "$f" -w "${f%.pcapng}.pcap"; done

ssstonebraker

Replace 'X' with the domain name of your choice

# Back link
link:X -site:X

# Sub domain
site:X -site:www.X

# Url
inurl:X -site:X

ssstonebraker

#!/bin/bash

#  Usage: ./ipinfo.sh file_containing_one_ip_per_line

filename=$1
ipAddresses=`cat $filename`
`echo "" > out.txt` #To empty the file

readonly ourPath="$(dirname $0)"

ssstonebraker

# Add this to your bash profile

ipextract () {
# example: ipextract < filename
egrep --only-matching -E  '(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)'
}

ssstonebraker

#!/bin/bash
 
#########################################################################
#                                                                       #
#                                                                       #
#                       NATO String converter                           #
#                                                                       #
#               Description: converts string (first parameter given)    #
#               to NATO phonetics-alphabet                              #
#                                                                       #

ssstonebraker

# ediscovery_search_exported_msg_files.ps1
# Search through exported .msg files from content search (exchange compliance center) and return a spreadsheet of email addresses and matched URLs
# Kill outlook
cmd.exe /c "taskkill /F /IM outlook.exe /T 2> nul"

$scriptPath = $(split-path $myinvocation.mycommand.definition)
$inputPath = "$($scriptPath)\inputMails"


# Find all .msg files recursively

ssstonebraker

#!/bin/bash
# get_amis.sh
# Return a list of all ami's in use in aws

aws ec2 describe-instances --query 'Reservations[*].Instances[*].[ImageId,Tags[*]]' | grep ami | perl -pi -e "s/,//g;" | perl -pi -e "s/\"//g;" | perl -pi -e "s/\s+/\n/g;" | grep -v "^$"