My Security Intelligence and Monitoring Agenda List

1 Zeek

1.2 Document[0/1]

  1. [A] Zeek Blog: Zeke on Zeek: Working With Open-Source Zeek: Adding a Key-value For-Loop
    • [ ] 添加软件的版本 table 名字手机型号等
    • [ ] 审计 Keyword 部分的实现
  2. https://gist.github.com/nickwallen [ALL]
  3. [C] https://github.com/berke1337/public_ccdc <2018-03-20 Tue> [CCDC conf]   READ CON
  4. Documentation and Training
  5. packages/aggregate.meta at master · zeek/packages [Zeek packages view]   READ
  6. http://gauss.ececs.uc.edu/Courses/c6055/pdf/bro_log_vars.pdf   LEARN READ
  7. ✔ DONE [A] http://supbrosup.blogspot.com/2013/09/third-party-scripts-and-example-code.html   Extention LEARN
    • State “DONE” from “” [2018-12-03 Mon 15:31]

1.3 Osquery/Sysmon

  1. ✔ DONE https://github.com/iBigQ/bro-osquery   Necessary

1.4 DNS[3/3]

  1. Packages
    1. ✔ DONE [ ] [] https://github.com/hhzzk/dns-tunnels   DNS
    2. ✔ DONE [ ][dns axfr query ] https://github.com/srozb/dns_axfr   DNS
      1. https://en.wikipedia.org/wiki/DNS_zone_transfer
      2. https://cr.yp.to/djbdns/axfr-notes.html
    3. ✔ DONE https://github.com/corelight/top-dns   LEARN Necessary
      • State “✔ DONE” from [2019-08-10 Sat 21:11]
  2. Dev
    1. ✔ DONE Pdns-bro   DNS Framwork
      • State “DONE” from [2018-11-13 Tue 16:17]
    2. erbbysam/DNSGrep: Quickly Search Large DNS Datasets
    3. Quickpost: nslookup Types | Didier Stevens

1.5 Conn[3/3]

  1. ✔ DONE [Long Connections] https://github.com/corelight/bro-long-connections   Necessary
  2. ✔ DONE [Connection Burst Identification] https://github.com/corelight/conn-burst   Necessary
  3. [SMB] https://www.giac.org/paper/gcia/10091/detecting-malicious-smb-activity-bro/140938
  4. ✘ CANCELED [Extended TCP Analysis] https://github.com/jswaro/tcprs

1.9 logging [2/7]

2 Project[Reorg]

2.5 NSM-project   NSM

  1. HASecuritySolutions/VulnWhisperer: Create actionable data from your Vulnerability Scans
    1. HASecuritySolutions/Logstash: Contains Logstash related content including tons of Logstash configurations
  2. https://github.com/bettercap/bettercap
  3. https://github.com/StamusNetworks/SELKS :Suricata/evebox:
  4. https://github.com/csirtgadgets
  5. https://github.com/ondrik/appreal/tree/1061bea706839b3d8875a6e106a87e17d6f798b2/regexps/bro-orig/protocols<2018-04-26 Thu>
  6. [A] https://github.com/hslatman/awesome-threat-intelligence   LEARN
  7. https://github.com/toolswatch
  8. https://github.com/sealingtech
  9. activecm/rita: Real Intelligence Threat Analytics
  10. HASecuritySolutions/VulnWhisperer: Create actionable data from your Vulnerability Scans
  11. https://github.com/maliceio/malice
  12. https://github.com/UVA-High-Speed-Networks
  13. http://justinazoff.github.io/netflow-indexer/ [tools]
  14. https://github.com/business-science/anomalize [R language for analysis]
  15. https://github.com/toolswatch
  16. ✔ DONE https://github.com/tatsu-i/rpot Real-time Packet Observation Tool
    • State “✔ DONE” from [2019-10-22 Tue 23:04]

    Just a simle NSM testing platform

    1. [X] [] https://web.eecs.umich.edu/~zmao/Papers/infocom15-flowr.pdf
    1. [X] [] https://github.com/bro/packet-bricks
    1. [X] [IOT] https://liu.diva-portal.org/smash/get/diva2:974379/FULLTEXT02.pdf CLOSED: [2018-06-05 Tue 13:49]
      • State “DONE” from “” [2018-06-05 Tue 13:49]

    *

3 Silk

4 Osquery

5 Sysmon-config

6 Mitre&ATT

  1. Experts advocate for ’ATT&CK’ as go-to framework to share threat intel
  2. Cyber Wardog Lab: How Hot Is Your Hunt Team?
  3. BlueTeamToolkit/sentinel-attack: Repository of sentinel alerts and hunting queries leveraging sysmon and the MITRE ATT&CK framework

7 Nettoolset

7.4 Pcap datasets

  1. https://github.com/tatsu-i/malware-traffic-analysis.net <2018-03-20 Tue>

8 ⚑ WAITING Honeypot[0/1]

[Cowrie SSH/Telnet Honeypot] https://github.com/micheloosterhof/cowrie

9 Component

9.4 [B] [packet capture solution ] https://github.com/google/stenographer   LEARN

10 ELK

10.2 Logstash

  1. Filter   Nettoolset
    1. ✔ DONE Urldecode <2018-06-07 Thu>
      • State “DONE” from [2018-06-07 Thu 14:21]

      手机淘宝/3442425 CFNetwork/897.15 Darwin/17.5.0

      1. Link
    2. fv<2018-06-07 Thu>
      1. link

10.5 elastic

  1. tools
    1. taskrabbit/elasticsearch-dump: Import and export tools for elasticsearch
  2. framework
    1. austin-taylor/flare: An analytical framework for network traffic and behavioral analytics
    2. morningconsult/go-elasticsearch-alerts: Elasticsearch Alerting Daemon
    3. medcl/elasticsearch-proxy: A lightweight elasticsearch proxy written in golang
    4. [ Tools ] EvtxToElk - 自动化分析 Windows 事件日志的 python 模块:   windows
  3. GEOIP<2018-06-14 Thu>
    1. ✔ DONE https://github.com/elastic/elasticsearch-dsl-py/issues/804   GEOIP
      • State “DONE” from [2018-06-14 Thu 13:39]
        • curl -H “Content-Type: application/json” -XPOST localhost:9200/us-city/city/ -d ’{“city”: “Anchorage”, “state”: “AK”,“location”: {“lat”: “61.2180556”, “lon”: “-149.9002778”}}’

11 kafka

  1. confluentinc/ksql: KSQL - the Streaming SQL Engine for Apache Kafka
  2. ✰ Important zookeeper / kafka cluster 搭建及 kafka 集群加密认证, 客户端加密认证设置方法
  3. Supervisor/supervisor: Supervisor process control system for UNIX
  4. brimsec/zinger: Receiver/gateway from Zeek/ZNG to file outputs or Kafka/Avro   zeek log
  5. Enable SSL for Kafka Clients - Hortonworks Data Platform

12 Analysis

12.11 https://iec56w4ibovnb4wc.onion.si/Library/ [malware sample library server.]   APT

12.14 Jupyter Lab

  1. Jupyter Notebooks 📓 from SIGMA Rules 🛡⚔️ to Query Elasticsearch 🏹   sigma jupyter kakfa elk

13 thesis

:PROPERTIES: academia :CATEGORY: thesis

13.1 1808.10742.pdf [Anomaly Detection in Cyber Network Data Using a Cyber Language Approach]

13.4 HTTP

  1. DeepHTTP: Semantics-Structure Model with Attention for Anomalous HTTP Traffic Detection and Pattern Mining
  2. [[https://blog.csdn.net/qq_30050175/article/details/90577778][DECANTeR: DEteCtion of Anomalous outbouNd HTTP TRaffic by Passive Application Fingerprinting - 一只咸鱼的小努力 - CSDN

14 Con & Video & Documention

14.5 Botconf

  1. Olivier Bilodeau https://www.youtube.com/watch?v=iW-WmhPu6p4

14.6 Sans

  1. [Botnet Tracking Tools ] [] https://www.youtube.com/watch?v=iW-WmhPu6p4

14.7 WAITING Traffic filtering at scale on Linux   Document NSM

  • State “WAITING” from [2018-11-06 Tue 12:44]

14.9 bro-2.4.1.pdf Document:

14.13 d1s1r4.pdf PPT:

15 Repo

15.2 https://scrapy.org/   spider

15.3 JohnLaTwC (John Lambert) [Distinguished Engineer and General Manager, Microsoft Threat Intelligence Center]

16 Logs query

17 Data visualization

18 pwn

19 Owncloud   NSM

 curl -u ghost:own@321 -T "/Users/gtrun/org-notes/NsmOrg.org" "http://192.168.1.100/owncloud/remote.php/webdav/org-notes/NsmOrg.org"
sshpass -p "123" scp /Users/gtrun/org-notes/NsmOrg.org 192.168.1.9:~/org-notes/.

sudo bro -r tests/traces/http-get-large-incomplete.pcap tests/scripts/file-analyzer.bro

20 OSINT

21 MITRE

22 Sandbox

23 Data

24 memo

24.3 bagder (Daniel Stenberg)   NETWORK

25 SOC Platforms

25.5 ✘ CANCELED crits/crits: CRITs - Collaborative Research Into Threats

  • State “✘ CANCELED” from [2019-09-07 Sat 17:45]

26 [A] Cache

26.5 ✰ Important My Software | Didier Stevens

27 Tor

Created: 2020-07-04 Sat 18:18

Emacs 26.3 (Org mode 9.4)