1 Zeek

1.1 Learn Zeek Script from other people[9/10]

  1. 📄 REVIEW https://github.com/rocknsm/rock-scripts :LEARN:NSM:

    1. ✔ DONE [reinforced] known-domains –>Broker

      • State “✔ DONE” from [2019-08-27 Tue 21:24]
  2. ✔ DONE [#A] evernote/bro-scripts: Bro scripts developed by the Evernote security team.

  3. ✔ DONE [#A] michalpurzynski/bro-gramming: Bro IDS programs collection.

  4. ✔ DONE cs-bro/bro-scripts at master · CrowdStrike/cs-bro

  5. ✔ DONE [#C] [Network-Research/EvilBox/ServerContainer/Bro/Bro Scripts at master · PushOCCRP/Network-Research](https://github.com/PushOCCRP/Network-Research/tree/master/EvilBox/ServerContainer/Bro/Bro Scripts)

  6. ✔ DONE [#A] https://github.com/sheharbano

  7. ✔ DONE LiamRandall/bro-scripts: Bro scripts to be shared with the community

  8. ✔ DONE JustinAzoff/broscripts: Analysis scripts for the Bro Intrusion Detection System

  9. ✔ DONE https://github.com/michalpurzynski/bro-gramming

  10. ✔ DONE https://github.com/0xxon/bro-sumstats-counttable

1.2 Document[0/1]

  1. [#A] Zeek Blog Zeke on Zeek: Working With Open-Source Zeek Adding a Key-value For-Loop
-   [ ] 添加软件的版本 table 名字手机型号等
-   [ ] 审计 Keyword 部分的实现
  1. https://gist.github.com/nickwallen [ALL]

  2. [#C] https://github.com/berke1337/public%5Fccdc <2018-03-20 Tue> [CCDC conf] :READ:CON:

  3. Documentation and Training

  4. packages/aggregate.meta at master · zeek/packages [Zeek packages view] :READ:

  5. http://gauss.ececs.uc.edu/Courses/c6055/pdf/bro%5Flog%5Fvars.pdf :LEARN:READ:

  6. ✔ DONE [#A] http://supbrosup.blogspot.com/2013/09/third-party-scripts-and-example-code.html :Extention:LEARN:

    • State “DONE” from "” [2018-12-03 Mon 15:31]

1.3 Osquery/Sysmon

  1. ✔ DONE https://github.com/iBigQ/bro-osquery :Necessary:

1.4 DNS[3/3]

  1. Packages
1.  <span class="org-todo done __DONE">✔ DONE</span>  [ ] [] <https://github.com/hhzzk/dns-tunnels>     :DNS:

2.  <span class="org-todo done __DONE">✔ DONE</span>  [ ][dns axfr query ] <https://github.com/srozb/dns%5Faxfr>     :DNS:

    1.   <https://en.wikipedia.org/wiki/DNS%5Fzone%5Ftransfer>

    2.   <https://cr.yp.to/djbdns/axfr-notes.html>

3.  <span class="org-todo done __DONE">✔ DONE</span>  <https://github.com/corelight/top-dns>     :LEARN:Necessary:

    -   State "✔ DONE"     from              <span class="timestamp-wrapper"><span class="timestamp">[2019-08-10 Sat 21:11]</span></span>
  1. Dev
1.  <span class="org-todo done __DONE">✔ DONE</span>  Pdns-bro     :DNS:Framwork:

    -   State "DONE"       from              <span class="timestamp-wrapper"><span class="timestamp">[2018-11-13 Tue 16:17]</span></span>

2.   [erbbysam/DNSGrep: Quickly Search Large DNS Datasets](https://github.com/erbbysam/DNSGrep)

3.   [Quickpost: nslookup Types | Didier Stevens](https://blog.didierstevens.com/2019/07/03/quickpost-nslookup-types/)

1.5 Conn[3/3]

  1. ✔ DONE [Long Connections] https://github.com/corelight/bro-long-connections :Necessary:

  2. ✔ DONE [Connection Burst Identification] https://github.com/corelight/conn-burst :Necessary:

  3. [SMB] https://www.giac.org/paper/gcia/10091/detecting-malicious-smb-activity-bro/140938

  4. ✘ CANCELED [Extended TCP Analysis] https://github.com/jswaro/tcprs

    [SMBv1] https://github.com/klehigh/find%5Fsmbv1

1.6 Detect[14/14]

  1. detect-kaspersky/detect-kaspersky.bro at 6016c1b200fc749a035250f01c72b242e7d3156d · initconf/detect-kaspersky

1.7 SSL/TLS

  1. https://github.com/0xxon/bro-plugin-roca

  2. [fingerprint] https://github.com/salesforce/ja3

  3. Link

1.   [WebMap - A Dashboard For Nmap Scans - YouTube](https://www.youtube.com/watch?v=SoEIDNnOCGY)

2.   TOD <https://github.com/trimstray/htrace.sh> [Nmap]
  1. [ Web Security ] 通过 SSL 证书曝光 Tor 服务的真实 IP 地址:
<https://www.netsparker.com/blog/web-security/exposing-public-ips-tor-services-through-ssl-certificates/>
  1. SOMEDAY [#A] https://www.bro.org/brocon2014/ssl%5Fexercise.pdf <2018-06-06 Wed> :READ
1.   <https://www.securityartwork.es/2017/02/02/tls-client-fingerprinting-with-bro/> :READ
  1. 1607.01639.pdf [SSLDeciphering Malware’s use of TLS (without Decryption]

  2. Onion-Zeek-RITA: Improving Network Visibility and Detecting C2 Activity

1.8 Intel Farmwork[2/3]

1.9 logging [2/7]

1
2
3
4
5
sudo -u postgres psql
sudo -u postgres createuser <username>
 sudo -u postgres createdb <dbname>
createdb -h localhost -p 5432 -U dbuser testdb
psql -h localhost -p 5432 -U dbuser -d testdb

1.10 Others [0/0]

  1. Notice Correlation and Covert CTC Detection — Michael Dopheide & Ross Gegan - YouTube :script:

  2. Threat-Intelligence-Summer-2018/Statistics at master · AkashHK/Threat-Intelligence-Summer-2018

1.   [Bingmang/pcap2kdd: A kddcup99 features extractor.](https://github.com/Bingmang/pcap2kdd)

1.11 bro-in-90-minutes/mini-workshop.md at master · NSMAssociates/bro-in-90-minutes

1.12 Scan[0/1]

[] https://github.com/initconf/scan-NG

1.13 Self

[db] https://github.com/fatemabw/bro-inventory-scripts/blob/a3f38e608a98555f9d897331962b057e33dffad8/scripts/tlsfp%5Fdb.bro

1.14 Bat

  1. https://github.com/giangzuzana/deep-mods-gz/tree/24033b933e34bd0157c1c89bd8c1ad6241f77eb6 :project:

1.15 bro-pkg

  1. The Bro Package Manager and You. Seth Hall Chief Evangelist Corelight, Inc - PDF

1.16 Broker

  1. manual
1.   <https://www.bro.org/sphinx-git/frameworks/broker.html#topic-naming-conventions>

2.   [base/frameworks/broker/store.bro — Bro 2.6-16 documentation](https://www.bro.org/sphinx-git/scripts/base/frameworks/broker/store.bro.html)

3.   [Broker-Enabled Communication/Cluster Framework — Bro 2.6-16 documentation](https://www.bro.org/sphinx-git/frameworks/broker.html#data-store-example)

4.   [Zeek (Bro) Blog<mark> Broker is Coming, Part 2</mark> Replacing &synchronized](https://blog.zeek.org/2018/07/broker-is-coming-part-2-replacing.html)

5.   [5. Python Bindings — Broker User Manual](https://docs.zeek.org/projects/broker/en/stable/python.html)

6.   [broker/tests/python at master · zeek/broker](https://github.com/zeek/broker/tree/master/tests/python)
  1. Repo
1.   [UHH-ISS/honeygrove: A multi-purpose modular honeypot based on Twisted.](https://github.com/UHH-ISS/honeygrove)

2.   <https://github.com/tenzir/events/tree/master/brocon18>

3.   <https://github.com/tenzir/bro-vast>

4.   <https://github.com/lbnl-cybersecurity/dtkm-sparcs>

5.   <https://github.com/CommunityBro/communitybro>

6.   <https://github.com/UHH-ISS/beemaster-bro>

7.   [broker-application-templates/sender.bro at master · 0ortmann/broker-application-templates](https://github.com/0ortmann/broker-application-templates/blob/master/bro-to-app/threaded-simple/sender.bro)
  1. Zeek-Script
1.  <span class="org-todo done __DONE">✔ DONE</span>  [#A] [J-Gras/add-interfaces: Adds cluster node's interface to logs.](https://github.com/J-Gras/add-interfaces)     :Necessary:

1.17 CVE

  1. https://github.com/esnet/security/tree/master/cve-2016-4303

  2. https://github.com/set-element/misc-scripts

  3. https://github.com/initconf/CVE-2017-5638%5Fstruts/blob/master/scripts/CVE-2017-5638%5Fstruts-cluster.bro

1.   <http://mailman.icsi.berkeley.edu/pipermail/bro/2017-March/011735.html> [EMail]
  1. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16807
1.   <https://github.com/bro/bro/commit/34d0cf886ca16c665f673a299e295b2a2bc14533>

1.18 Dev

  1. [#A] Bro Germany 2018

  2. tenzir/events at 7c94ca536524460ad9a36854ebafbab539b80481

  3. https://github.com/lbnl-cybersecurity/sparcs[Stream-Processing Architecture for Real-time

Cyber-physical Security]
  1. https://github.com/set-element

  2. protocol suporter

1.   <https://github.com/irtimmer/bro-xdp%5Fpacket-plugin>

2.   [zeek/packet-bricks: A netmap-based packet layer for distributing and filtering traffic.](https://github.com/zeek/packet-bricks)

3.   [amzn/zeek-plugin-enip: Zeek network security monitor plugin that enables parsing of the Ethernet/IP and Common Industrial Protocol standards](https://github.com/amzn/zeek-plugin-enip)

4.   [amzn/zeek-plugin-profinet: Zeek network security monitor plugin that enables parsing of the Profinet protocol](https://github.com/amzn/zeek-plugin-profinet)
  1. Protocol-analyzer
1.   <https://github.com/bro/bro/tree/master/src/analyzer/protocol>

2.   [endace/bro-dag: Bro plugin providing native Endace DAG packet capture support](https://github.com/endace/bro-dag)

3.   [bro-lognorm/src at master · J-Gras/bro-lognorm](https://github.com/J-Gras/bro-lognorm/tree/master/src)

4.   [dopheide-esnet/bro-fuzzy-hashing: Bro plugin providing fuzzy hashing integration.](https://github.com/dopheide-esnet/bro-fuzzy-hashing)

5.   [jennifergates/paper: Research paper](https://github.com/jennifergates/paper)

6.   [esnet/zeek<sub>perfsonar</sub><sub>owamp</sub>: OWAMP protocol analyzer plugin for Bro/Zeek](https://github.com/esnet/zeek%5Fperfsonar%5Fowamp)

    1.   [perfsonar/owamp: A tool for performing one-way active measurements](https://github.com/perfsonar/owamp)

7.   [MITRECND/bro-http2: Plugin for Bro which provides http2 decoder/analyzer](https://github.com/MITRECND/bro-http2)

8.   <https://github.com/CommunityBro>     :project:

9.   [timwoj/zeek-demo](https://github.com/timwoj/zeek-demo)

10.  [salesforce/GQUIC<sub>Protocol</sub><sub>Analyzer</sub>: GQUIC Protocol Analyzer for Zeek (Bro) Network Security Monitor](https://github.com/salesforce/GQUIC%5FProtocol%5FAnalyzer)

✘ CANCELED 1.19 Cache

2 Project[Reorg]

2.1 Current

  1. yampelo/beagle: Beagle is an incident response and digital forensics tool which transforms security logs and data into graphs.

2.2 certs

  1. https://github.com/certbot/certbot

2.3 project for bro

  1. [] https://github.com/treussart/ProbeManager%5FBro/tree/07173b97a647a54fd331a593825d21443c6b037c
  2. [] https://github.com/m57
  3. [] https://github.com/retsiela/Pruebanewrepository
  4. [] https://github.com/boisgada/NTFKit/tree/4355ba74d272b918cfa718b580de6536bba1c14f/files/usr/local/bro/share/bro/site/bro-scripts
  5. []binorassocies/brostash brostash Linux distribution based on Debian and focusing on network security events collection

2.4 pcap

http://www.netresec.com/?page=PcapFiles

  1. https://github.com/neu5ron/malware-traffic-analysis

  2. https://github.com/huge-data

  3. ✰ Important W R C C D C Public Archive

2.5 NSM-project

  1. HASecuritySolutions/VulnWhisperer: Create actionable data from your Vulnerability Scans
1.   [HASecuritySolutions/Logstash: Contains Logstash related content including tons of Logstash configurations](https://github.com/HASecuritySolutions/Logstash)
  1. https://github.com/bettercap/bettercap

  2. https://github.com/StamusNetworks/SELKS :Suricata/evebox:

  3. https://github.com/csirtgadgets

  4. https://github.com/ondrik/appreal/tree/1061bea706839b3d8875a6e106a87e17d6f798b2/regexps/bro-orig/protocols<2018-04-26 Thu>

<https://github.com/descendency/broscripts/tree/9baed7cf37670ec6bb107757c935b9924c084c7a>

<https://github.com/CriticalPathSecurity/bro-scripts> <span class="timestamp-wrapper"><span class="timestamp">&lt;2018-04-26 Thu&gt;</span></span>
<https://cyberwardog.blogspot.com/>
  1. [#A] https://github.com/hslatman/awesome-threat-intelligence :LEARN:

  2. https://github.com/toolswatch

  3. https://github.com/sealingtech

  4. activecm/rita: Real Intelligence Threat Analytics

  5. HASecuritySolutions/VulnWhisperer: Create actionable data from your Vulnerability Scans

  6. https://github.com/maliceio/malice

  7. https://github.com/UVA-High-Speed-Networks

  8. http://justinazoff.github.io/netflow-indexer/ [tools]

  9. https://github.com/business-science/anomalize [R language for analysis]

  10. https://github.com/toolswatch

  11. ✔ DONE https://github.com/tatsu-i/rpot Real-time Packet Observation Tool

    • State “✔ DONE” from [2019-10-22 Tue 23:04]

    Just a simle NSM testing platform

2.6 Paper

  1. [] https://web.eecs.umich.edu/~zmao/Papers/infocom15-flowr.pdf

  2. [] https://github.com/bro/packet-bricks

  3. [IOT] https://liu.diva-portal.org/smash/get/diva2:974379/FULLTEXT02.pdf CLOSED: [2018-06-05 Tue 13:49]

    • State “DONE” from "” [2018-06-05 Tue 13:49]

    *

2.7 new

https://github.com/kevinwilcox/bro-sccrew

  1. https://github.com/initconf/smtp-url-analysis/tree/2eff7244ca3eb3dfd4ab70fa0f7ea9ee73ea0de3/scripts
<https://www.jianshu.com/p/68684780c1b0x>

2.8 Search website

  1. https://web.nsrc.org/
  2. https://nsrc.org/workshops/2008/ait-wireless/kemp/network-security-nac.pdf

2.9 full blown

  1. certsocietegenerale/FIR: Fast Incident Response

3 Silk

3.1 Document

  1. Flow Monitoring Explained: From Packet Capture to Data Analysis With NetFlow and IPFIX - IEEE Journals & Magazine

  2. https://www.google.com/search?q=CERT/NetSA+%22pdf%22&ei=k939W7ukKILX0gLUt5tw&start=10&sa=N&ved=0ahUKEwj7ufnx5vXeAhWCq1QKHdTbBg4Q8tMDCH0&biw=1152&bih=599&dpr=2.5

  3. https://www.ietf.org/proceedings/80/slides/ipfix-4.pdf

  4. https://tools.netsa.cert.org/silk/analysis-handbook.pdf [Analysis Handbook Nov 2018 updated]

  5. 📄 REVIEW Analysis handbook :BOOK:LEARN:

  6. lisa04.pdf

  7. lisa06.pdf

  8. https://resources.sei.cmu.edu/asset%5Ffiles/Presentation/2011%5F017%5F101%5F50515.pdf [iSilk]

  9. nyov/netsa-python NetSA Python - http//tools.netsa.cert.org/netsa-python/

4 Osquery

4.1 PPT/Doc

  1. Install/Setup Kolide Fleet + Graylog + OSQuery with Windows and Linux deployment | HoldMyBeer :STEP1:Document:

  2. Maerz-BroandOsquery-EnterpriseVisibility.pdf :Visualization:

4.2 Security

  1. osquery For Security – Chris Long – Medium

4.3 Kolild

  1. Config
1.   [fleet/configuring-the-fleet-binary.md at master · kolide/fleet](https://github.com/kolide/fleet/blob/master/docs/infrastructure/configuring-the-fleet-binary.md)     :Document:

4.4 tools

  1. jmpsec/osctrl: Fast and efficient osquery management :Tool:

5 Sysmon-config

5.1 https://github.com/SwiftOnSecurity/sysmon-config

5.2 https://github.com/JPCERTCC/SysmonSearch

6 Mitre&ATT

  1. Experts advocate for ‘ATT&CK’ as go-to framework to share threat intel

  2. Cyber Wardog Lab: How Hot Is Your Hunt Team?

  3. BlueTeamToolkit/sentinel-attack: Repository of sentinel alerts and hunting queries leveraging sysmon and the MITRE ATT&CK framework

7 Nettoolset

7.1 rule

  1. https://github.com/plyara/plyara :yara:

7.2 Pcap tools

  1. 【 Pcap 分析工具】 http://mykings.me/2017/08/14/%E4%B8%80%E4%BA%9B%E4%B8%8D%E9%94%99%E7%9A%84PCAP%E5%88%86%E6%9E%90%E5%B7%A5%E5%85%B7/

7.3 Malicious Application

  1. JarryShaw/mad: Malicious Application Detector ::project:

  2. https://github.com/Cisco-Talos/clamav-devel/tree/dev/0.101/docs :Document:NSM:

7.4 Pcap datasets

  1. https://github.com/tatsu-i/malware-traffic-analysis.net <2018-03-20 Tue>

7.5 ctxis/CAPE: Malware Configuration And Payload Extraction

⚑ WAITING 8 Honeypot[0/1]

[Cowrie SSH/Telnet Honeypot] https://github.com/micheloosterhof/cowrie

9 Component

9.1 Graylog2/collector-sidecar: Manage log collectors through Graylog [Log collection]

9.2 [conf] https://github.com/anelshaer/ELKSecurity/blob/4c6afc3f2cb6ffd2fabebc1b73398b19aff43592/logstash/conf.d/bro-syslog-ng.conf

9.3 [ELK Solution] https://github.com/philhagen/sof-elk

9.4 [packet capture solution ] https://github.com/google/stenographer

9.5 [bro scripts] https://github.com/hxer/note-ivre/tree/2be48776fa23e350eb2d038743e8695295459e4b

10 ELK

10.1 BLog

  1. Mactime magic with ELK | White snow | against the black ice

10.2 Logstash

  1. Filter :Nettoolset:
1.  <span class="org-todo done __DONE">✔ DONE</span>  Urldecode <span class="timestamp-wrapper"><span class="timestamp">&lt;2018-06-07 Thu&gt;</span></span>

    -   State "DONE"       from              <span class="timestamp-wrapper"><span class="timestamp">[2018-06-07 Thu 14:21]</span></span>

    手机淘宝/3442425 CFNetwork/897.15 Darwin/17.5.0

    1.   Link

        -   <https://www.elastic.co/guide/en/logstash/current/plugins-filters-urldecode.html>
        -   <https://www.cnblogs.com/vovlie/p/4227027.html>

2.   fv<span class="timestamp-wrapper"><span class="timestamp">&lt;2018-06-07 Thu&gt;</span></span>

    1.   link

        -   <https://www.elastic.co/guide/en/logstash/current/plugins-filters-kv.html>

10.3 Repo

  1. Cyb3rWard0g/HELK: The Hunting ELK

  2. simplesteph/kafka-security-manager: Manage your Kafka ACL at scale

  3. [database] confluentinc/ksql: KSQL - the Streaming SQL Engine for Apache Kafka

  4. HASecuritySolutions/VulnWhisperer: Create actionable data from your Vulnerability Scans

10.4 Extended

  1. https://github.com/SparkSharly/Sharly

10.5 elastic

  1. tools
1.   [taskrabbit/elasticsearch-dump: Import and export tools for elasticsearch](https://github.com/taskrabbit/elasticsearch-dump)
  1. framework
1.   [austin-taylor/flare: An analytical framework for network traffic and behavioral analytics](https://github.com/austin-taylor/flare)

2.   [morningconsult/go-elasticsearch-alerts: Elasticsearch Alerting Daemon](https://github.com/morningconsult/go-elasticsearch-alerts)

3.   [medcl/elasticsearch-proxy: A lightweight elasticsearch proxy written in golang](https://github.com/medcl/elasticsearch-proxy)

4.   [ Tools ]  EvtxToElk - 自动化分析 Windows 事件日志的 python 模块:     :windows:

    <https://dragos.com/blog/20180717EvtxToElk.html>
  1. GEOIP<2018-06-14 Thu>
1.  <span class="org-todo done __DONE">✔ DONE</span>  <https://github.com/elastic/elasticsearch-dsl-py/issues/804>     :GEOIP:

    -   State "DONE"       from              <span class="timestamp-wrapper"><span class="timestamp">[2018-06-14 Thu 13:39]</span></span>
        -   curl -H "Content-Type<mark> application/json" -XPOST localhost:9200/us-city/city/ -d '{"city": "Anchorage", "state": "AK","location": {"lat": "61.2180556", "lon"</mark> "-149.9002778"}}'
        -   <https://www.elastic.co/blog/strict-content-type-checking-for-elasticsearch-rest-requests>
        -   <http://www.elasticsearchtutorial.com/spatial-search-tutorial.html>

11 kafka

  1. confluentinc/ksql: KSQL - the Streaming SQL Engine for Apache Kafka

  2. ✰ Important zookeeper / kafka cluster 搭建及 kafka 集群加密认证, 客户端加密认证设置方法

  3. Supervisor/supervisor: Supervisor process control system for UNIX

12 Analysis

12.1 PCAP

  1. Introduction | Awesome PCAP Tools

  2. JarryShaw/PyPCAPKit: Python multi-engine PCAP analyse kit.

12.2 Malware

  1. binary
1.   [Malware Must Die!](https://blog.malwaremustdie.org/)
  1. PDF
1.   [Analyzing PDF Malware - Part 1 | Trustwave | SpiderLabs | Trustwave](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/analyzing-pdf-malware-part-1/)

2.   [New Spear Phishing Campaign Impersonates VCs and PE Firms](https://info.phishlabs.com/blog/spear-phishing-campaign-impersonates-vcs-and-pe-firms)

3.   [Escape From PDF | Didier Stevens](https://blog.didierstevens.com/2010/03/29/escape-from-pdf/)

4.   [PDF Tools | Didier Stevens](https://blog.didierstevens.com/programs/pdf-tools/)     :PDF:

12.3 Data-analysis

  1. ✰ Important Estimating Parameters1

  2. Phish

1.   [hadojae/DATA: Credential Phish Analysis and Automation](https://github.com/hadojae/DATA)

    1.   [ppt] [Ph'ing Phishers](https://www.slideshare.net/secret/agq19JjVYt9M5W)

12.4 lbnl-cybersecurity/tstat-dtn-analysis: prediction tools for tstat data

12.5 mgoffin/malwarecookbook: Malware Analyst’s Cookbook stuffs

12.6 hillar/CDMCS Cyber Defence Monitoring Course Suite : Suricata, Bro, Moloch

12.7 P3t3rp4rk3r/ThreatIntelligence: Threat-Intelligence Feeds & Tools & Frameworks

12.8 SMB

  1. skelsec/aiosmb: Fully asynchronous SMB library written in pure python :SMB:

12.9 DNS

  1. DNS-Shell - An Interactive Shell Over DNS Channel :DNS:

12.10 Malware Captures — Stratosphere IPS

12.11 https://iec56w4ibovnb4wc.onion.si/Library/ [malware sample library server.]

13 thesis

:PROPERTIES: academia CATEGORY thesis

13.1 1808.10742.pdf [Anomaly Detection in Cyber Network Data Using a Cyber Language Approach]

13.2 [Notice Correlation and Covert CTC Detection — Michael Dopheide & Ross Gegan - YouTube](https://www.youtube. com/watch?v=OycQ1aiNqEM&t=3s)

  1. covert.pdf [IP Covert Timing Channels]

13.3 Silk

  1. R: A Proposed Analysis and Visualization Environment for Network Security Data

13.4 HTTP

  1. DeepHTTP: Semantics-Structure Model with Attention for Anomalous HTTP Traffic Detection and Pattern Mining

  2. DECANTeR: DEteCtion of Anomalous outbouNd HTTP TRaffic by Passive Application Fingerprinting - 一只咸鱼的小努力 - CSDN 博客

14 Con & Video & Documention

14.1 Bro

  1. [#A] Ten Ways Zeek Can Help You Detect the TTPs of MITRE ATT&CK - YouTube

  2. [#A] Using Zeek/Bro To Discover Network TTPs of MITRE ATT&CK™ - YouTube

  3. Broker :Broker:

14.2 https://www.youtube.com/channel/UCpNGmljppAJbTIA5Msms1Pw/videos <2018-11-24 Sat>

14.3 https://www.icir.org/robin/

  1. https://www.youtube.com/watch?v=dIFcE%5FawVjc

14.4 Hunting book [APT]

  1. https://issuu.com/klemenmolk/docs/25%5Fmakeuseof%5Fw%5Fpacb71%5Fmy2um8lj35gmh

  2. SOMEDAY https://github.com/beahunt3r/Windows-Hunting <2018-06-13 Wed> :READ:

14.5 Botconf

  1. Olivier Bilodeau https://www.youtube.com/watch?v=iW-WmhPu6p4

14.6 Sans

  1. [Botnet Tracking Tools ] [] https://www.youtube.com/watch?v=iW-WmhPu6p4

14.7 WAITING Traffic filtering at scale on Linux

  • State “WAITING” from [2018-11-06 Tue 12:44]

14.8 bro-cheatsheets/Corelight-Bro-Cheatsheets-2.6.pdf at master · corelight/bro-cheatsheets

14.9 bro-2.4.1.pdf Document:

14.10 owlhdocumentation Documentation

14.11 logisland Documentation

14.12 Detection of HTTPS Malware Traffic :Document

14.13 d1s1r4.pdf PPT:

14.14 CoreFlow: Enriching Bro security events using network traffic monitoring data - Semantic Scholar

15 Repo

15.1 Performance monitoring

  1. netdata/netdata Real-time performance monitoring, done right! https//my-netdata.io/ :monitoring:

15.2 https://scrapy.org/

15.3 JohnLaTwC (John Lambert) [Distinguished Engineer and General Manager, Microsoft Threat Intelligence Center]

15.4 OWASP/Amass: In-Depth DNS Enumeration and Network Mapping

15.5 1N3 (xer0dayz)

16 Logs query

16.1 grafana/loki: Like Prometheus, but for logs. –>grafana

  1. lucascebrero/graylogReport

17 Data visualization

⚔ STARTED 17.1 grafana/grafana: The tool for beautiful monitoring and metric analytics & dashboards for Graphite, InfluxDB & Prometheus & More

  1. VeeamHub/grafana: Grafana dashboard for Veeam solutions

17.2 vega/vega: A visualization grammar.

17.3 Sampler - A Tool For Shell Commands Execution, Visualization And Alerting (Configured With A Simple YAML File)

17.4 RedHunt OS v2 - Virtual Machine For Adversary Emulation And Threat Hunting

18 pwn

18.1 SMBv3 Null Pointer Dereference vulnerability (CVE-2018-0833)

19 Owncloud

1
curl -u ghost:own@321 -T "/Users/gtrun/org-notes/NsmOrg.org" "http://192.168.1.100/owncloud/remote.php/webdav/org-notes/NsmOrg.org"
1
sshpass -p "123" scp /Users/gtrun/org-notes/NsmOrg.org 192.168.1.9:~/org-notes/.

sudo bro -r tests/traces/http-get-large-incomplete.pcap tests/scripts/file-analyzer.bro

20 OSINT

20.1 Feed

  1. [#A] firehol/blocklist-ipsets: ipsets dynamically updated with firehol’s update-ipsets.sh script :project:

20.2 jofpin/trape People tracker on the Internet OSINT analysis and research tool by Jose Pino

20.3 laramies/theHarvester: E-mails, subdomains and names Harvester - OSINT* dencrypt

20.4 https://digitalcommons.newhaven.edu/cgi/viewcontent.cgi?article=1049&context=electricalcomputerengineering-facpubs 【whatsapp】

20.5 https://commons.erau.edu/cgi/viewcontent.cgi?article=1477&context=jdfsl

20.6 streaak/keyhacks: Keyhacks is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they’re valid. [Key]

21 MITRE

21.1 repo

  1. MITRE Cybersecurity

21.2 chopshop - command line interface to ChopShop — ChopShop 4.0 documentation

22 sandbox

22.1 cuckoosandbox/cuckoo: Cuckoo Sandbox is an automated dynamic malware analysis system

23 Data

23.1 DATABASE

  1. https://towardsdatascience.com/sqlalchemy-python-tutorial-79a577141a91

23.2 Repo

  1. Kitware, Inc.

  2. Cisco DevNet

1.   [YANG data - Google Search](https://www.google.com/search?q=YANG+data&oq=YANG+data&aqs=chrome..69i57&sourceid=chrome&ie=UTF-8)
  1. SANS 2018 Holiday Hack Writeup

  2. timetology

23.3 APP

  1. GrigorDimitrov/TwitterSentimentAnalysis [twiter]

24 memo

24.1 Search · bro http.log language:python

24.2 Ridter/IntranetPenetrationTips: 2018 年初整理的一些内网渗透 TIPS,后面更新的慢,所以公开出来希望跟小伙伴们一起更新维护~

24.3 bagder (Daniel Stenberg)

25 SOC Platforms

25.1 OpenCTI-Platform/opencti: Open Cyber Threat Intelligence Platform

25.2 TheHive-Project/TheHive TheHive a Scalable, Open Source and Free Security Incident Response Platform

25.3 MISP - Malware Information Sharing Platform and Threat Sharing - The Open Source Threat Intelligence Platform

25.4 mitre/cti: Cyber Threat Intelligence Repository expressed in STIX 2.0 :ATT&CK:

✘ CANCELED 25.5 crits/crits: CRITs - Collaborative Research Into Threats

CLOSED: [2019-09-07 Sat 17:45]

  • State “✘ CANCELED” from [2019-09-07 Sat 17:45]

26 Cache

26.1 sroberts/awesome-iocs: A collection of sources of indicators of compromise.

26.2 Topic: dfir

26.3 MrAnde7son/LikeABro at e8451ba95ac5fa910a18268255a59dba78352bea

26.4 The impact of using large training data set KDD99 on classification accuracy {PeerJ Preprints}

✰ Important 26.5 My Software | Didier Stevens