weslambert
/ Custom.Alert.TheHive
Last active
December 17, 2020 15:59
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Custom.Alert.TheHive | |
| description: | | |
| Create a TheHive Alert when we match a condition | |
| Much of this was borrowed from: https://gist.github.com/scudette/3a32abd19350c8fe3368661c4278869d | |
| type: SERVER_EVENT | |
| parameters: | |
| - name: TheHiveURL | |
| default: https://thehive |
weslambert
/ vxlan2pcap.py
Last active
March 19, 2020 04:46
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Pre-reqs: | |
| # pip3 install scapy | |
| # Example VXLAN PCAP: https://github.com/the-tcpdump-group/tcpdump/raw/master/tests/vxlan.pcap | |
| import sys, getopt | |
| from scapy.all import * | |
| def write(pkt): | |
| wrpcap(outputfile, pkt, append=True) | |
| def main(argv): |
weslambert
/ NCSA_Simple_Scan_Install_On_Security_Onion
Last active
February 21, 2020 20:53
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Script to download and shim https://github.com/ncsa/bro-simple-scan for use with Zeek on Security Onion | |
| # Last Modified 2/21/2020 by @therealwlambert | |
| SS_PATH="/opt/zeek/share/zeek/policy/simple-scan" | |
| SS_SCRIPT="simple-scan.zeek" | |
| BRO_DN_PATH="/opt/zeek/share/zeek/policy/bro-is-darknet" | |
| BRO_DN_SCRIPT="bro-is-darknet.zeek" | |
| echo "Adding directory structure..." |