tommy/thoughts
tommy/thoughts
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

chore: adjustments to line length of code blocks
All checks were successful
Export / Explore-GitHub-Actions (push) Successful in 34s
Details

Browse source
This commit is contained in:
Tommy 2024-08-06 16:13:47 +02:00
parent c0be71f113
commit a4adbc2b1c
Signed by: tommy
SSH key fingerprint: SHA256:1LWgQT3QPHIT29plS8jjXc3S1FcE/4oGvsx3Efxs6Uc
12 changed files with 101 additions and 38 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

62
data/an-openioc-graph-a-different-kind-of-rule-scheme.md
View file

@ -46,7 +46,9 @@ example).
class IOC:
def __init__(self):
self.IOC = ioc_api.IOC(name='Test', description='An IOC generated from a Python script', author='Someone')
self.IOC = ioc_api.IOC(name='Test',
description='An IOC generated from a Python script',
author='Someone')
self.IOC.set_created_date()
self.IOC.set_published_date()
@ -56,13 +58,15 @@ example).
self.id = self.IOC.iocid
def addNode(self,label,text,type,indicator,condition='is'):
IndicatorItem_node = ioc_api.make_IndicatorItem_node(condition, label, text, type, indicator)
IndicatorItem_node = ioc_api.make_IndicatorItem_node(condition,
label, text, type, indicator)
current_guid = IndicatorItem_node.attrib['id']
print current_guid
self.IOC.top_level_indicator.append(IndicatorItem_node)
def __str__(self):
self.xml = et.tostring(self.IOC.root, encoding='utf-8', xml_declaration=True, pretty_print=True)
self.xml = et.tostring(self.IOC.root, encoding='utf-8',
xml_declaration=True, pretty_print=True)
return self.xml
This enables us to do something like this:
@ -74,7 +78,12 @@ This enables us to do something like this:
Which will again return the XML of the IOC.
<?xml version='1.0' encoding='utf-8'?>
<OpenIOC xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://openioc.org/schemas/OpenIOC_1.1" id="06fd70db-992c-4678-83e6-8f1b150e8bcf" last-modified="2014-01-28T07:15:09" published-date="2014-01-28T07:15:09">
<OpenIOC xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns="http://openioc.org/schemas/OpenIOC_1.1"
id="06fd70db-992c-4678-83e6-8f1b150e8bcf"
last-modified="2014-01-28T07:15:09"
published-date="2014-01-28T07:15:09">
<metadata>
<short_description>test</short_description>
<description>A Test</description>
@ -85,10 +94,12 @@ Which will again return the XML of the IOC.
</metadata>
<criteria>
<Indicator id="fbbb2883-473a-4a1c-92c4-692e199adb61" operator="OR">
<IndicatorItem id="14a42d26-b056-4b2e-a327-7d6edb25457e" condition="is" preserve-case="false" negate="false">
<IndicatorItem id="14a42d26-b056-4b2e-a327-7d6edb25457e"
condition="is" preserve-case="false" negate="false">
<Context document="test" search="Just a test" type="mir"/>
<Content type="domain">vg.no</Content>
<IndicatorItem id="dff6e0c5-613b-4bea-8bad-bb7a36b3ccdf" condition="is" preserve-case="false" negate="false">
<IndicatorItem id="dff6e0c5-613b-4bea-8bad-bb7a36b3ccdf"
condition="is" preserve-case="false" negate="false">
<Context document="test" search="Just a test" type="mir"/>
<Content type="ip">195.88.55.16</Content>
</IndicatorItem>
@ -110,10 +121,12 @@ attributes:
A nested IOC might look like this (relevant excerpt):
<Indicator id="b12f8c27-d168-49b5-bc75-cec86bf21d3f" operator="OR">
<IndicatorItem id="af4323dc-a967-4fe3-b62f-b461b90a3550" condition="is" preserve-case="false" negate="false">
<IndicatorItem id="af4323dc-a967-4fe3-b62f-b461b90a3550" condition="is"
preserve-case="false" negate="false">
<Context document="test" search="Just a test" type="mir"/>
<Content type="domain">vg.no</Content>
<IndicatorItem id="2ff639ca-dcec-4967-ac06-f54989bf3dc4" condition="is" preserve-case="false" negate="false">
<IndicatorItem id="2ff639ca-dcec-4967-ac06-f54989bf3dc4" condition="is"
preserve-case="false" negate="false">
<Context document="test" search="Just a test" type="mir"/>
<Content type="ip">195.88.55.16</Content>
</IndicatorItem>
@ -152,7 +165,9 @@ Creating an OpenIOC-compatible graph is a breeze:
def addVertice(self,content,content_type,condition):
vertice_id = self.graph.execute("""
def v1 = g.addVertex([content:content,content_type:content_type,condition:condition])
def v1 = g.addVertex([content:content,
content_type:content_type,
condition:condition])
return v1""",
{'content':content, 'content_type':content_type, 'condition':condition})
return vertice_id
@ -179,7 +194,9 @@ process in reverse:
def __init__(self):
self.graph = RexProConnection('localhost',8184,'titan')
self.IOC = ioc_api.IOC(name='Test', description='A test IOC generated from Rexster', author='Someone')
self.IOC = ioc_api.IOC(name='Test',
description='A test IOC generated from Rexster',
author='Someone')
self.IOC.set_created_date()
self.IOC.set_published_date()
@ -190,8 +207,18 @@ process in reverse:
self.id = self.IOC.iocid
self.lastId=None
def addNode(self,label,text,type,indicator,condition='is',addToLast=False):
IndicatorItem_node = ioc_api.make_IndicatorItem_node(condition, label, text, type, indicator)
def addNode(self,
label,
text,
type,
indicator,
condition='is',
addToLast=False):
IndicatorItem_node = ioc_api.make_IndicatorItem_node(condition,
label,
text,
type,
indicator)
if addToLast and self.last:
self.last.append(IndicatorItem_node)
@ -202,13 +229,15 @@ process in reverse:
self.last = IndicatorItem_node
def traverse(self,rootNodeId):
root=self.graph.execute("""return g.v(80284)""",{'vid':str(rootNodeId)})
root=self.graph.execute("""return g.v(80284)""",
{'vid':str(rootNodeId)})
self.addNode('test','Just a test',
root['_properties']['content_type'],
root['_properties']['content'],
root['_properties']['condition'])
one_level_out=self.graph.execute("""return g.v(vid).out""",{'vid':str(rootNodeId)})
one_level_out=self.graph.execute("""return g.v(vid).out""",
{'vid':str(rootNodeId)})
for vertex in one_level_out:
self.addNode('test','Just a test',
vertex['_properties']['content_type'],
@ -216,7 +245,10 @@ process in reverse:
vertex['_properties']['condition'],addToLast=True)
def __str__(self):
self.xml = et.tostring(self.IOC.root, encoding='utf-8', xml_declaration=True, pretty_print=True)
self.xml = et.tostring(self.IOC.root,
encoding='utf-8',
xml_declaration=True,
pretty_print=True)
return self.xml
ioc = RexsterIOC()

5
data/avenger-openbsd68.md
View file

@ -8,12 +8,11 @@ openssl rand -base64 8 | shasum | head -c16 > ~/.avenger/.macpass
echo "" >> ~/.avenger/.macpass
```
```
brew install berkeley-db4
curl -O http://www.mailavenger.org/dist/avenger-0.8.5.tar.gz
echo "b0fc3e2e03ed010e95e561367fce7b087968df7ea6056251eba95cad14d26d37 avenger-0.8.5.tar.gz" | shasum -a 256 --check
echo "b0fc3e2e03ed010e95e561367fce7b087968df7ea6056251eba95cad14d26d37 avenger-0.8.5.tar.gz" | \
shasum -a 256 --check
tar xvzf avenger-0.8.5.tar.gz
cd avenger-0.8.5
./configure --with-db=/usr/local/Cellar/berkeley-db@4/4.8.30

4
data/converting-pst.md
View file

@ -81,7 +81,9 @@ Personal Folder'``:
If you sample ``Inbox/Mails/``, you will find:
1.eml 10.eml 11.eml 12.eml 13.eml 14.eml 15.eml 16.eml 17.eml 2.eml 3.eml 4.eml 5.eml 6.eml 7.eml 8.eml 9.eml
1.eml 10.eml 11.eml 12.eml 13.eml 14.eml
15.eml 16.eml 17.eml 2.eml 3.eml 4.eml
5.eml 6.eml 7.eml 8.eml 9.eml
You can now continue with our previous post [6]. I'll also
encourage you to have a look at the documentation of the

13
data/gpg-openssl.md
View file

@ -30,9 +30,11 @@ on my [contact page](https://contact.252.no):
```
KEY=`openssl rand -hex 32` IV=`openssl rand -hex 16`
ENCRYPTED_KEY_B64=`openssl pkeyutl -encrypt -pubin -inkey /tmp/test.pem -pkeyopt rsa_padding_mode:oaep <<< $KEY|base64`
ENCRYPTED_KEY_B64=`openssl pkeyutl -encrypt -pubin -inkey /tmp/test.pem \
-pkeyopt rsa_padding_mode:oaep <<< $KEY|base64`
BLOB=`openssl enc -aes-256-cfb -a -e -K ${KEY} -iv ${IV} -in some-file`
echo "PKCS11-VAULT;aes-256-cfb;rsa_padding_mode:oaep;$ENCRYPTED_KEY_B64:$IV:$BLOB;" > encrypted.txt
echo "PKCS11-VAULT;aes-256-cfb;rsa_padding_mode:oaep;$ENCRYPTED_KEY_B64:$IV:$BLOB;" \
> encrypted.txt
```
The steps of the above are:
@ -92,9 +94,12 @@ for BLOB in ${ENCRYPTION_BLOBS[@]}; do
IFS=':' read ENCRYPTED_KEY_B64 IV TEXTFILE_ENC <<< $BLOB
ENCRYPTED_KEY=`printf $ENCRYPTED_KEY_B64 | base64 -d`
decrypted=false
DECRYPTED_KEY=`echo $ENCRYPTED_KEY_B64 |base64 -d | openssl pkeyutl -decrypt -inkey /tmp/$key.key -pkeyopt ${PADDING_MODE} 2> /dev/null` && decrypted=true
DECRYPTED_KEY=`echo $ENCRYPTED_KEY_B64 |base64 -d | \
openssl pkeyutl -decrypt -inkey /tmp/$key.key \
-pkeyopt ${PADDING_MODE} 2> /dev/null` && decrypted=true
if [ $decrypted != false ]; then
TEXTFILE_DEC=`printf %s "$TEXTFILE_ENC"|base64 -d|openssl enc -$ALGORITHM -d -K "$DECRYPTED_KEY" -iv "$IV" |base64`
TEXTFILE_DEC=`printf %s "$TEXTFILE_ENC"|base64 -d|openssl enc \
-$ALGORITHM -d -K "$DECRYPTED_KEY" -iv "$IV" |base64`
break
fi
done

4
data/mac-mini-debian.md
View file

@ -86,7 +86,9 @@ installation (run the same image as the one you installed,
remember to simulate that you don't have network on that virtual
installation):
apt-get -qq --print-uris install build-essential linux-headers-$(uname -r) broadcom-sta-dkms patch bzip2 wpasupplicant | cut -d\' -f 2 > urls.txt
apt-get -qq --print-uris install build-essential \
linux-headers-$(uname -r) broadcom-sta-dkms \
patch bzip2 wpasupplicant | cut -d\' -f 2 > urls.txt
This will produce a file of urls that are all the packages
requested and its dependencies, get the stick, format it with

11
data/new-format.md
View file

@ -17,7 +17,8 @@ uses git and a post-receive hook:
else repo="$pwd/.git"
fi
git --work-tree=~/secdiary/content --git-dir=~/secdiary/content.git checkout -f
git --work-tree=~/secdiary/content \
--git-dir=~/secdiary/content.git checkout -f
cd ~/secdiary
rm -r /var/www/secdiary.com/*
rm -r /var/gopher/*
@ -27,7 +28,8 @@ uses git and a post-receive hook:
cp ~/twtxt/content/twtxt.txt /var/www/secdiary.com/
echo "\nBuild: " >> /var/gopher/index.gph
git --git-dir=~/secdiary/content.git log -1 --pretty="%H%n%ci" >> /var/gopher/index.gph
git --git-dir=~/secdiary/content.git log -1 \
--pretty="%H%n%ci" >> /var/gopher/index.gph
I also publish twtxt messages in a similar way. My twtxt
config looks like the following:
@ -39,7 +41,10 @@ config looks like the following:
disclose_identity = False
character_limit = 140
character_warning = 140
post_tweet_hook = "cd ~/twtxt/ && git pull && git add twtxt.txt && git commit -m 'added new tweet' && git push"
post_tweet_hook = "cd ~/twtxt/ && git pull && \
git add twtxt.txt && \
git commit -m 'added new tweet' && \
git push"
In addition to my twtxt feed, I am present on Mastodon,
which lead me to Solene's static site generator cl-yag

10
data/osquery.md
View file

@ -38,7 +38,8 @@ Posts about osquery that you should review before moving on:
* Another post on applying osquery for security [7]
* Palantir on osquery [8]
So that was a couple of links to get you started. The next section shows you how to quickly get a lab environment up and running.
So that was a couple of links to get you started. The next section
shows you how to quickly get a lab environment up and running.
## Setup and Configuration
@ -112,12 +113,15 @@ You can start the osquery daemon on the client by using the
following command. At this point you should start thinking about
packaging, which is detailed in the osquery docs [11].
/usr/local/bin/osqueryd --disable_events=false --flagfile=/private/var/osquery/osquery.flags
/usr/local/bin/osqueryd --disable_events=false \
--flagfile=/private/var/osquery/osquery.flags
osquery also has an interactive mode if you would like to test the
local instance, based on a local configuration file:
sudo osqueryi --disable_events=false --config_path=/etc/osquery/osquery.conf --config_path=/etc/osquery/osquery.conf
sudo osqueryi --disable_events=false \
--config_path=/etc/osquery/osquery.conf \
--config_path=/etc/osquery/osquery.conf
To make the client persistent on macOS, use the following
documentation from osquery [12].

3
data/remote-forensics.md
View file

@ -120,7 +120,8 @@ says OS, this might as well have been ``REGISTRY`` or ``TSK``):
for client in SearchClients('host:Webserver'):
id=client[0].client_id
o=flow.GRRFlow.StartFlow(client_id=str(id),
flow_name="GetFile", pathspec=rdfvalue.PathSpec(path=path, pathtype=rdfvalue.PathSpec.PathType.OS))
flow_name="GetFile", pathspec=rdfvalue.PathSpec(path=path,
pathtype=rdfvalue.PathSpec.PathType.OS))
flows.append(o)
files=[]

6
data/ssh-ca-proxyjump.md
View file

@ -134,9 +134,11 @@ certificate may now be signed and distributed to the user.
$ ssh-keygen -D $PKCS11_MODULE_PATH -e > ca.pub
$ ssh-keygen -D $PKCS11_MODULE_PATH -s ca.pub -I example -n zone-web -V +1w -z 1 id_rsa.pub
$ ssh-keygen -D $PKCS11_MODULE_PATH -s ca.pub -I example -n zone-web \
-V +1w -z 1 id_rsa.pub
Enter PIN for 'OpenPGP card (User PIN)':
Signed user key .ssh/id_rsa-cert.pub: id "example" serial 1 for zone-web valid from 2020-10-13T15:09:00 to 2020-10-20T15:10:40
Signed user key .ssh/id_rsa-cert.pub: id "example" serial 1 for zone-web
valid from 2020-10-13T15:09:00 to 2020-10-20T15:10:40
The same concept goes for a user smart-card, except that is
a plug and play as long as you have the gpg-agent

6
data/ssh-certs-apple-t2.md
View file

@ -71,9 +71,11 @@ compromising security [3]. In this case I use a Nitrokey:
$ brew cask install opensc
$ PKCS11_MODULE_PATH=/usr/local/lib/opensc-pkcs11.so
$ ssh-keygen -D $PKCS11_MODULE_PATH -e > ca.pub
$ ssh-keygen -D $PKCS11_MODULE_PATH -s ca.pub -I example -n zone-web -V +1h -z 1 id_ecdsa.pub
$ ssh-keygen -D $PKCS11_MODULE_PATH -s ca.pub -I example -n zone-web \
-V +1h -z 1 id_ecdsa.pub
Enter PIN for 'OpenPGP card (User PIN)':
Signed user key id_ecdsa-cert.pub: id "example" serial 1 for zone-web valid from 2020-10-14T20:26:00 to 2020-10-14T21:27:51
Signed user key id_ecdsa-cert.pub: id "example" serial 1 for zone-web
valid from 2020-10-14T20:26:00 to 2020-10-14T21:27:51
cp id_ecdsa-cert.pub ~/.ssh/
If you now try to ssh into a server using the given

12
data/traefik-centralized-logging.md
View file

@ -28,7 +28,8 @@ OpenBSD. This mostly has to do with vendor support and
the fact that OpenBSD does things differently.
Within security monitoring, centralized logging with
[LimaCharlie Adapters](https://doc.limacharlie.io/docs/documentation/73a613e8e43ed-lima-charlie-adapter) is a good option, which is what I wanted to share a
[LimaCharlie Adapters](https://doc.limacharlie.io/docs/documentation/73a613e8e43ed-lima-charlie-adapter)
is a good option, which is what I wanted to share a
simple example of here.
Please note that this is simplistic in design, since the
@ -166,7 +167,14 @@ version: '3.3'
services:
traefik-lc-adapter:
image: refractionpoint/lc-adapter:latest
command: file file_path=/logs/traefik/access.log client_options.identity.installation_key=$LC_INSTALLATION_KEY client_options.identity.oid=$LC_ORG_ID client_options.hostname=$LC_HOSTNAME client_options.sensor_seed_key=$LC_HOSTNAME client_options.platform=json
command:
- file
- file_path=/logs/traefik/access.log
- client_options.identity.installation_key=$LC_INSTALLATION_KEY
- client_options.identity.oid=$LC_ORG_ID
- client_options.hostname=$LC_HOSTNAME
- client_options.sensor_seed_key=$LC_HOSTNAME
- client_options.platform=json
restart: unless-stopped
environment:
TZ: UTC

3
data/travel.md
View file

@ -179,7 +179,8 @@ Open Network Configuration (ONC) [7]. In order to convert this
format to a working configuration file, use ovpn2onc.py [9] like
the following.
python3 reference/convert.py --infile *-pki-embedded.ovpn --outfile vpn_configuration.onc --name my_vpn
python3 reference/convert.py --infile *-pki-embedded.ovpn \
--outfile vpn_configuration.onc --name my_vpn
This results in a configuration file named
``vpn_configuration.onc``. ChromeOS will not give you any feedback