This repository has been archived by the owner on Feb 7, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 85
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
f0d30d9
commit 6a3091b
Showing
9 changed files
with
156 additions
and
6 deletions.
There are no files selected for viewing
Binary file not shown.
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,77 @@ | ||
%DEFAULT includepath pig/include.pig | ||
RUN $includepath; | ||
|
||
%DEFAULT time 60 | ||
|
||
snort_2905_alerts = | ||
LOAD '/Users/david/Downloads/captures/aurora_meterpreter_http.cap' | ||
USING com.packetloop.packetpig.loaders.pcap.detection.SnortLoader('lib/snort-2905/etc/snort.conf') | ||
AS ( | ||
ts:long, | ||
sig:chararray, | ||
priority:int, | ||
message:chararray, | ||
proto:chararray, | ||
src:chararray, | ||
sport:int, | ||
dst:chararray, | ||
dport:int | ||
); | ||
|
||
snort_2931_alerts = | ||
LOAD '/Users/david/Downloads/captures/aurora_meterpreter_http.cap' | ||
USING com.packetloop.packetpig.loaders.pcap.detection.SnortLoader('lib/snort-2931/etc/snort.conf') | ||
AS ( | ||
ts:long, | ||
sig:chararray, | ||
priority:int, | ||
message:chararray, | ||
proto:chararray, | ||
src:chararray, | ||
sport:int, | ||
dst:chararray, | ||
dport:int | ||
); | ||
|
||
-- snort_2905_alerts = | ||
-- LOAD 'snort_2905' AS ( | ||
-- ts:long, | ||
-- sig:chararray, | ||
-- severity:int, | ||
-- message:chararray, | ||
-- proto:chararray, | ||
-- src:chararray, | ||
-- sport:int, | ||
-- dst:chararray, | ||
-- dport:int | ||
-- ); | ||
-- | ||
-- snort_2931_alerts = | ||
-- LOAD 'snort_2931' AS ( | ||
-- ts:long, | ||
-- sig:chararray, | ||
-- severity:int, | ||
-- message:chararray, | ||
-- proto:chararray, | ||
-- src:chararray, | ||
-- sport:int, | ||
-- dst:chararray, | ||
-- dport:int | ||
-- ); | ||
|
||
snort_2905_sigs = FOREACH snort_2905_alerts GENERATE sig, message; | ||
snort_2931_sigs = FOREACH snort_2931_alerts GENERATE sig, message; | ||
|
||
snort_2905_grouped = GROUP snort_2905_sigs BY sig; | ||
snort_2931_grouped = GROUP snort_2931_sigs BY sig; | ||
|
||
snort_2905_summed = FOREACH snort_2905_grouped GENERATE group, COUNT(snort_2905_sigs); | ||
snort_2931_summed = FOREACH snort_2931_grouped GENERATE group, COUNT(snort_2931_sigs); | ||
|
||
snort_summed_joined = COGROUP snort_2905_summed BY group, | ||
snort_2931_summed BY group; | ||
|
||
new_only_filtered = FILTER snort_summed_joined BY (COUNT(snort_2905_summed) == 0); | ||
new_only_flattened = FOREACH new_only_filtered GENERATE FLATTEN(snort_2931_summed); | ||
|
||
DUMP new_only_flattened; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
%DEFAULT includepath pig/include.pig | ||
RUN $includepath; | ||
|
||
%DEFAULT time 60 | ||
%DEFAULT field '' | ||
%DEFAULT tcppath 'lib/scripts/tcp.py' | ||
|
||
http = LOAD '$pcap' USING com.packetloop.packetpig.loaders.pcap.protocol.HTTPConversationLoader('user-agent', '$tcppath') AS ( | ||
ts:long, | ||
src:chararray, | ||
sport:int, | ||
dst:chararray, | ||
dport:int, | ||
request:chararray, | ||
fields:tuple() | ||
); | ||
|
||
STORE http INTO '$output/http'; | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
%DEFAULT includepath pig/include.pig | ||
RUN $includepath; | ||
|
||
%DEFAULT time 60 | ||
%DEFAULT field '' | ||
%DEFAULT tcppath 'lib/scripts/tcp.py' | ||
%DEFAULT snortconfig 'lib/snort/etc/snort.conf' | ||
|
||
http = LOAD '/pl/dumps/174f501a-d6e3-11e1-bec6-7f3db9d5953d' USING com.packetloop.packetpig.loaders.pcap.protocol.HTTPConversationLoader('user-agent') AS ( | ||
ts:long, | ||
src:chararray, | ||
sport:int, | ||
dst:chararray, | ||
dport:int, | ||
request:chararray, | ||
fields:tuple() | ||
); | ||
|
||
snort_alerts = LOAD '/pl/dumps/174f501a-d6e3-11e1-bec6-7f3db9d5953d' USING com.packetloop.packetpig.loaders.pcap.detection.SnortLoader() AS ( | ||
ts:long, | ||
sig:chararray, | ||
priority:int, | ||
message:chararray, | ||
proto:chararray, | ||
src:chararray, | ||
sport:int, | ||
dst:chararray, | ||
dport:int | ||
); | ||
|
||
fingerprints = LOAD '/pl/dumps/174f501a-d6e3-11e1-bec6-7f3db9d5953d' USING com.packetloop.packetpig.loaders.pcap.detection.FingerprintLoader() AS ( | ||
ts:long, | ||
src:chararray, | ||
sport:int, | ||
dst:chararray, | ||
dport:int, | ||
os:chararray | ||
); | ||
|
||
attacker_fingerprint_info = JOIN | ||
snort_alerts BY (src, sport, dst, dport), | ||
fingerprints BY (src, sport, dst, dport); | ||
|
||
attacker_fingerprints = FOREACH attacker_fingerprint_info GENERATE kkkkkkkkkkkkkkkkk | ||
|
||
dump attacker_fingerprints; | ||
|
||
--attacker_useragents = JOIN | ||
-- attacker_fingerprints BY (src, sport, dst, dport), | ||
-- http BY (src, sport, dst, dport); | ||
-- | ||
--STORE attacker_useragents INTO '$output/user_info'; | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters