Skip to content

Instantly share code, notes, and snippets.

View superducktoes's full-sized avatar

Nick Roy superducktoes

View GitHub Profile
<form version="1.1">
<label>Email RIOT</label>
<fieldset submitButton="false">
<input type="time" token="field1">
<label></label>
<default>
<earliest>-30d@d</earliest>
<latest>now</latest>
</default>
</input>
<form version="1.1">
<label>Country Report</label>
<fieldset submitButton="false">
<input type="dropdown" token="field1" searchWhenChanged="true">
<label>Country</label>
<fieldForLabel>source_country</fieldForLabel>
<fieldForValue>source_country</fieldForValue>
<search>
<query>|inputlookup greynoise_indicators_collection| dedup source_country | table source_country | sort source_country</query>
<earliest>-24h@h</earliest>
import requests
# replace with CVE and GreyNoise API key
CVE = "CVE-2024-3273"
GN_API_KEY = "<GN_API_KEY>"
headers = {
"accept": "application/json",
"key": GN_API_KEY
}
'''
reads from a file cve_grouping.txt that takes a cve on each line to query greynoise and find ips exploiting each cve
'''
from greynoise import GreyNoise
from functools import reduce
api_client = GreyNoise(api_key="<api_key>")
cve_grouping = {}
This file has been truncated, but you can view the full file.
135.125.246.189 - - [04/Jan/2024:19:56:47 +0000] "POST / HTTP/1.1" 200 3460 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"
135.125.246.189 - - [04/Jan/2024:19:56:47 +0000] "GET /.env HTTP/1.1" 404 492 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"
205.210.31.40 - - [04/Jan/2024:19:25:30 +0000] "\x16\x03\x01" 400 487 "-" "-"
205.210.31.40 - - [04/Jan/2024:19:25:30 +0000] "\x16\x03\x01" 400 487 "-" "-"
193.23.3.64 - - [04/Jan/2024:19:22:19 +0000] "GET /.env HTTP/1.1" 404 488 "-" "-"
193.23.3.64 - - [04/Jan/2024:19:22:19 +0000] "GET /.env HTTP/1.1" 404 488 "-" "-"
54.173.133.244 - - [04/Jan/2024:19:18:54 +0000] "GET /downloads/.git/config HTTP/1.1" 404 455 "-" "Mozilla/5.0 (Linux; Android 8.1.0; LM-Q710.FG) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.101 Mobile Safari/537.36"
192.155.90.118 - - [04/Jan/2024:19:16:08 +0000] "\x16\x03\x01" 400 487 "-" "-"
185.254.196.173 - -
# python3 ip_hash_query.py 36.106.167.25
# takes an ip address as an argument and displays a list of ja3 fingerprints
# paste fingerprint into prompt to get a list of IP's associated with it
import requests
import sys
ip = sys.argv[1]
url = "https://api.greynoise.io/v2/noise/context/" + ip
API_KEY = ""
import requests
import json
url = "https://api.greynoise.io/v2/meta/metadata"
headers = {
"accept": "application/json",
"key": ""
}
from greynoise import GreyNoise
# change API key and query
api_key = "<GN_API_KEY>"
gn_query = "last_seen:1d classification:malicious spoofable:false"
# set up api client
api_client = GreyNoise(api_key=api_key)
ip_list = []
complete = False
@superducktoes
superducktoes / greynoise_plotting.py
Created January 11, 2023 17:41
plot last_seen for GreyNoise query
import matplotlib.pyplot as plt
import numpy as np
import requests
import json
GN_API_KEY = ""
GN_QUERY = 'jira last_seen:30d'
GN_QUERY_URL = "https://api.greynoise.io/v2/experimental/gnql"
HEADERS = {
@superducktoes
superducktoes / ip_sim_hunting.py
Created January 11, 2023 16:57
Build Splunk queries based on IP sim output
import requests
import sys
api_key = ""
limit = 10 # can change for more
if(len(sys.argv) < 2):
print("need an IP")
quit()
headers = {