├── Kids_Coding_Security_Resource ├── OSSEC_AppLocker_Local_Rule.xml ├── README.md ├── RTIR-phish-template.py ├── SANSFIRE-2018-hive.pptx ├── basic_evtsys.cfg ├── basic_nxlog.cfg ├── bro-phish.sh ├── create-linux-ir-cdrom.sh ├── home.cowrie.start.sh ├── honeypot-daily.sh ├── pi-hole-docker-compose.yaml └── status-check.sh /Kids_Coding_Security_Resource: -------------------------------------------------------------------------------- 1 | Name,Age,Description,Free/Pay,url 2 | Scratch jr,4-7,Simple iOS/Android app to teach coding basics to young kids,free,http://pbskids.org/learn/scratchjr/ 3 | Coji,4-7,Robot that uses an iOS/Android app to teach you programming,pay,http://wowwee.com/coji 4 | Scratch,7-10, Web site to teach coding to kids,free,https://scratch.mit.edu/ 5 | Hour of code,7-12,Web site that teaches kids coding basics in 1 hour chunks,free,https://code.org/learn 6 | Make with code,7-10,Web site that teaches kids to code. Slanted to girls, but great for all,free, Madewithcode.com 7 | Coding Games in Scratch,7-10,Book by (Jon Woodcock),Pay,https://www.dk.com/us/9781465439352-coding-games-in-scratch/ 8 | Scratch Coding Cards,7-10, Cards that teach you how to code in scratch in little bites,pay,https://www.nostarch.com/scratchcards 9 | Code Your Own Games!: 20 Games to Create with Scratch,7-12, Make games you can play by following the book,pay,https://www.scholastic.com/teachers/books/20-games-to-create-with-scratch-by-max-wainewright/ 10 | Minecraft Modding,7-18,Learn to make mode using code blocks and video for each objectives,pay,http://learntomod.com 11 | Snap Circuits,7-12,electronic building sets that snap parts together,pay,http://www.snapcircuits.net/ 12 | Makeblock,8-16,Arduino kit for electronic projects. Has plugins for scratch for coding robots,pay,http://www.makeblock.com/ 13 | -------------------------------------------------------------------------------- /OSSEC_AppLocker_Local_Rule.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 18101 5 | ^8002 6 | AppLocker allowed a program to execute. 7 | 8 | 9 | 22 | 18101 23 | ^8005 24 | AppLocker allowed an MSI or script to execute. 25 | 26 | 27 | 40 | 18103 41 | ^8020 42 | Packaged app allowed. 43 | 44 | 45 | 58 | 18103 59 | ^8023 60 | Packaged app installation allowed. 61 | 62 | 63 | 23 | ' 24 | 'Details can be found in the readme file at the following location: 25 | 'https://code.google.com/p/eventlog-to-syslog/downloads/list 26 | '**********************:************************** 27 | 'XPath:Application: 28 | 'XPath:Security: 29 | 'XPath:Setup: 30 | 'XPath:System: 31 | XPath:Application: 32 | XPath:Application: 33 | XPath:Microsoft-Windows-AppLocker/EXE and DLL: 34 | XPath:Microsoft-Windows-AppLocker/MSI and Script: 35 | XPath:Application: 36 | XPath:Microsoft-Windows-Windows Defender/Operational: 37 | XPath:Security: 38 | -------------------------------------------------------------------------------- /basic_nxlog.cfg: -------------------------------------------------------------------------------- 1 | ## This is a sample configuration file. See the nxlog reference manual about the 2 | ## configuration options. It should be installed locally and is also available 3 | ## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html 4 | 5 | ## Please set the ROOT to the folder your nxlog was installed into, 6 | ## otherwise it will not start. 7 | #CHANGE THE HOST FROM LOCALHOST TO YOUR SYSTLOG IP 8 | 9 | #define ROOT C:\Program Files\nxlog 10 | define ROOT C:\Program Files (x86)\nxlog 11 | 12 | Moduledir %ROOT%\modules 13 | CacheDir %ROOT%\data 14 | Pidfile %ROOT%\data\nxlog.pid 15 | SpoolDir %ROOT%\data 16 | LogFile %ROOT%\data\nxlog.log 17 | 18 | 19 | 20 | Module xm_syslog 21 | 22 | 23 | 24 | 25 | Module im_msvistalog 26 | # For windows 2003 and earlier use the following: 27 | # Module im_mseventlog 28 | Query \ 29 | \ 30 | # \ 31 | # \ 32 | \ 33 | \ 34 | \ 35 | \ 36 | \ 37 | \ 38 | \ 39 | \ 40 | \ 41 | 42 | 43 | 44 | 45 | Module om_udp 46 | Host localhost 47 | Port 514 48 | Exec to_syslog_ietf(); 49 | 50 | 51 | 52 | 53 | 54 | Path in => out 55 | 56 | 57 | -------------------------------------------------------------------------------- /bro-phish.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | #Created by Tom Webb tw3bb@gmail.com 3 | #Version 1.1 4 | #This assumes you are using Security Onion with the bro logs folder having subfolders with date line YYYY-MM-DD 5 | 6 | ####CONFIG SECTION 7 | brolog=/nsm/sensor_data/itso-sen-1/bro/itso-sen-1-eth4 8 | WORKINGDIR=$(/bin/mktemp -d) 9 | STATS_LOG=/var/log/phish-stats.log 10 | ##### 11 | usage () { 12 | 13 | echo "This scripts automates metrics for a phishing campagin using BRO" 14 | echo "bro-phish subject sender-email url YYYY-MM-DD (2015-10-12)" 15 | echo "example >bro-phish \"mailbox full\" bob@aol.com http://click-me.now.ef/wp-content/phish.php 2015-10-13 " 16 | } 17 | 18 | 19 | if [ $# -le 3 ] 20 | then 21 | usage 22 | exit 1 23 | fi 24 | 25 | subject=$1 26 | sender=$2 27 | url=$3 28 | date=$4 29 | 30 | #Get the stats for how many emails were sent 31 | zcat $brolog/$date/smtp*|fgrep -w "$subject" |fgrep -w "$sender" >$WORKINGDIR/email 32 | total_mail=`wc -l $WORKINGDIR/email |cut -d ' ' -f1` 33 | 34 | if [ "$total_mail" -eq 0 ]; then 35 | 36 | echo "No Emails found" 37 | rm -rf $WORKINGDIR 38 | exit 1 39 | else 40 | email_responses=`fgrep -w "RE: $subject" $WORKINGDIR/email |wc -l` 41 | zcat $brolog/$date/http* |fgrep -w "$url" >$WORKINGDIR/web-traffic 42 | web_visits=`cat $WORKINGDIR/web-traffic|cut -d$'\t' -f3| sort |uniq |wc -l` 43 | post_web_visits=`fgrep POST $WORKINGDIR/web-traffic|wc -l` 44 | malicious_ip=`cat $WORKINGDIR/email| cut -d$'\t' -f3| sort |uniq|sed ':a;N;$!ba;s/\n/, /g'` 45 | mail_agent=`cat $WORKINGDIR/email|cut -d$'\t' -f23 | sort |uniq` 46 | #helo_from=`cat $WORKINGDIR/email|cut -d$'\t' -f8 | sort |uniq` 47 | echo 48 | echo "#######Summary Details#####" 49 | echo "Total number of emails:$total_mail" 50 | echo "Possible replies to mail:$email_responses" 51 | echo "Total numbers of visitors to site:$web_visits" 52 | echo "Number of POSTS to the website:$post_web_visits" 53 | echo 54 | 55 | echo '#######DETAILS#####' 56 | echo "Malicious IP mail sent from:" $malicious_ip 57 | echo "Senders email address: $sender" 58 | echo "Senders mail agent" $mail_agent 59 | echo "Mail helo from" $helo_from 60 | 61 | 62 | echo "IPs that accessed Phishing Site:" 63 | if [ $web_visits -ne 0 ]; then 64 | ip_access=`cat $WORKINGDIR/web-traffic|cut -d$'\t' -f3| sort |uniq |sed ':a;N;$!ba;s/\n/, /g'` 65 | echo $ip_access 66 | echo 67 | else 68 | echo "NONE" 69 | echo 70 | fi 71 | echo "IPs that sent POSTS to phishing Site:" 72 | if [ $post_web_visits -ne 0 ]; then 73 | vic_ip=`fgrep POST $WORKINGDIR/web-traffic|cut -d$'\t' -f3| sort |uniq|sed ':a;N;$!ba;s/\n/, /g'` 74 | echo $vic_ip 75 | else 76 | echo "NONE" 77 | echo 78 | fi 79 | 80 | #Create log 81 | echo "$date|$sender|$subject|$total_mail|$email_responses|$web_visits|$post_web_visits|$malicious_ip|$mail_agent|$vic_ip" >>$STATS_LOG 82 | 83 | fi 84 | rm -rf $WORKINGDIR 85 | -------------------------------------------------------------------------------- /create-linux-ir-cdrom.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | #Created by:Tom Webb 3 | #Version 0.2 4 | #usage linux-ir-create.sh filelist 5 | 6 | #Error if no file given 7 | if [ $# == 0 ]; then 8 | echo -e "Usage: `basename $0` /path/to/file_list" 9 | exit 1 10 | fi 11 | 12 | #Error if not sudo/root 13 | if [[ $EUID -ne 0 ]]; then 14 | echo "You must be root/sudo to run the script" 15 | exit 1; 16 | fi 17 | 18 | echo "Enter the path where you want the /bin and /lib folders to be created" 19 | read IR_LOCATION 20 | 21 | #Setup DIR PATH 22 | mkdir $IR_LOCATION/bin 23 | mkdir $IR_LOCATION/lib 24 | 25 | while read line; do 26 | 27 | FIND_BIN=`whereis -b $line|awk '{print $2}'` #Find the location of the binary file 28 | if [ -z $FIND_BIN ]; then #if results empty 29 | echo "$line is not installed or in your path" 30 | 31 | else 32 | cp $FIND_BIN $IR_LOCATION/bin/IR_$line #Copies binary file to the new directory and renames it 33 | 34 | for i in `ldd $FIND_BIN |grep '/' |cut -d '>' -f2- |cut -d '(' -f1`; #Takes the path of the bin file and looks up required libraries and removes the 1st line and set as a variable 35 | do 36 | cp $i $IR_LOCATION/lib #Copies the library file to the new IR Location for each library 37 | done 38 | fi 39 | done <$1 #Use file from command line argument 40 | -------------------------------------------------------------------------------- /home.cowrie.start.sh: -------------------------------------------------------------------------------- 1 | # Last Modified: Thu Apr 21 15:46:46 2016 2 | #include 3 | 4 | /home/cowrie/start.sh { 5 | #include 6 | #include 7 | 8 | network inet dgram, 9 | network inet stream, 10 | 11 | /bin/dash ix, 12 | /etc/host.conf r, 13 | /etc/hosts r, 14 | /etc/nsswitch.conf r, 15 | /etc/python2.7/sitecustomize.py r, 16 | /etc/ssh/moduli r, 17 | /home/cowrie/** rw, 18 | /run/resolvconf/resolv.conf r, 19 | /sbin/ldconfig rix, 20 | /sbin/ldconfig.real rix, 21 | /tmp/** a, 22 | /usr/bin/ r, 23 | /usr/bin/dirname rix, 24 | /usr/bin/python2.7 ix, 25 | /usr/bin/twistd rix, 26 | /usr/lib{,32,64}/** ra, 27 | /usr/local/lib/python2.7/dist-packages/ r, 28 | /var/tmp/** a, 29 | 30 | } 31 | -------------------------------------------------------------------------------- /honeypot-daily.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | #Dshield Honeypot Log Report 3 | #version .01 4 | #Tom Webb 5 | #@twsecblog 6 | today=`date +%F` 7 | today-post=`date +'%d %b %Y` 8 | 9 | #Move SQL file 10 | cp /srv/www/DB/webserver.sqlite /tmp 11 | 12 | echo 13 | echo "############" 14 | echo "Web Get Requests $today" 15 | echo "############" 16 | sqlite3 /tmp/webserver.sqlite "select datetime(date, 'unixepoch', 'localtime') AS mydate,path from requests where path != '/' and mydate like '%$today%';" 17 | 18 | echo 19 | echo 20 | echo "############" 21 | echo "Web POST Requests $today" 22 | echo "############" 23 | sqlite3 /tmp/webserver.sqlite "select date,path from postlogs where path != '/' and date like '%$today-post%';" 24 | 25 | echo 26 | echo 27 | echo "############" 28 | echo "Top USERAGENTS ALL TIME" 29 | echo "############" 30 | sqlite3 webserver.sqlite "select useragent from useragents;" |sort |uniq -c |sort -nr |head -n 20 31 | 32 | echo 33 | echo 34 | echo "############" 35 | echo "Top 20 COWRIE Usernames for $today" 36 | echo "############" 37 | cat /srv/cowrie/var/log/cowrie/cowrie.log |fgrep " auth " |cut -d ']' -f2 |awk '{print $1 "|" $4}'|sort |uniq -c |sort -nr|head -n 20 38 | 39 | echo 40 | echo 41 | echo "############" 42 | echo "Top 20 Connection Attempts for $today" 43 | echo "############" 44 | grep -o 'SRC=.*' /var/log/dshield.log |cut -d '=' -f2|cut -d ' ' -f1 |sort |uniq -c |sort -nr |head -n 20 45 | 46 | -------------------------------------------------------------------------------- /pi-hole-docker-compose.yaml: -------------------------------------------------------------------------------- 1 | #Tom Webb 2 | #12/2023 3 | #RaspberryPi Docker Config 4 | version: '3.6' 5 | services: 6 | cloudflared: 7 | container_name: cloudflared 8 | restart: unless-stopped 9 | image: cloudflare/cloudflared 10 | command: proxy-dns 11 | environment: 12 | - "TUNNEL_DNS_UPSTREAM=https://208.67.222.123/dns-query,https://208.67.220.123/dns-query,https://1.1.1.3/dns-query,https://149.112.112.9/dns-query" 13 | - "TUNNEL_METRICS=0.0.0.0:49312" 14 | - "TUNNEL_DNS_ADDRESS=0.0.0.0" 15 | - "TUNNEL_DNS_PORT=53" 16 | sysctls: 17 | - net.ipv4.ip_unprivileged_port_start=53 18 | networks: 19 | docker_internal: 20 | ipv4_address: 10.0.0.2 21 | pihole: 22 | container_name: pihole 23 | image: pihole/pihole:latest 24 | ports: 25 | - "53:53/tcp" 26 | - "53:53/udp" 27 | - "67:67/udp" 28 | - "80:80/tcp" 29 | environment: 30 | TZ: 'America/NewYork' 31 | WEBPASSWORD: 'password' 32 | DNS1: "10.0.0.2#53" 33 | DNS2: "no" 34 | volumes: 35 | - '/usr/local/docker/etc-pihole:/etc/pihole' 36 | - '/usr/local/docker/etc-dnsmasq.d:/etc/dnsmasq.d' 37 | cap_add: 38 | - NET_ADMIN 39 | restart: unless-stopped 40 | networks: 41 | docker_internal: 42 | ipv4_address: 10.0.0.3 43 | dns: 44 | - 10.0.0.2 45 | networks: 46 | docker_internal: 47 | ipam: 48 | config: 49 | - subnet: 10.0.0.0/24 50 | -------------------------------------------------------------------------------- /status-check.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | #version 2 3 | #Author Tom Webb @twsecblog 4 | #based off script by Pablo Delgado 5 | #This script is to be ran on the Secuirty Onion Master Server to collect information about all the servers and send a notification error. 6 | 7 | 8 | #Set who you want to be notified. Speraated by comma 9 | email_address="" 10 | 11 | # -f email of the sender(e.g. sender@test.com) -s smtp server to use (e.g. test.yahoo.com:25) 12 | send_email () 13 | { 14 | sendemail -f -s -o tls=no -u $1 -a parsed_result.txt -m check it out -t $email_address 15 | } 16 | 17 | tdir=$(mktemp -d /tmp/tmp.XXXX) 18 | cd $tdir 19 | 20 | echo 21 | echo "==================================== INITIATING Scripts ==========================================" 22 | echo 23 | 24 | #2 - Checks Elasticsearch node to see if there's any Red Indexes. Red means that there's a problem with elasticsearch indexes and no data is being sent 25 | elastic_check () { 26 | echo "Checking ElasticsearchServer Processes" 27 | salt '*' cmd.run "curl -s 127.0.0.1:9200/_cat/indices?v" 2>/dev/null |grep -i -E ' red' 28 | if [ $? -eq 0 ] ; then #If red is in result 29 | echo "RED processes found" 30 | send_email "ALERT-Elastic Cluster has a RED index on the server" 31 | else 32 | echo 33 | echo "Processes are running normal !" 34 | fi 35 | 36 | 37 | } 38 | 39 | #3 - Checks for Low disk space on all servers. 40 | disk_check() { 41 | echo "====================" 42 | echo 43 | echo "Checking disk space usage above 85% on all servers" 44 | disk_status=0 45 | salt '*' cmd.run "df -h" 2>/dev/null | awk '{print $5}'|grep -vE '^Filesystem|tmpfs|cdrom|Use' |cut -d '%' -f1,2|sed 's/%//'|awk 'NF'|while read percent drive; 46 | do 47 | if [ $percent -ge 85 ]; 48 | then 49 | send_email "ALERT-LOW DISK SPACE on a Device" 50 | disk_status=1 51 | 52 | return 53 | 54 | fi 55 | 56 | done 57 | 58 | #Check if any error. No repeats from While loop 59 | if [ $disk_status -eq 0 ]; 60 | then 61 | echo 62 | echo "Disk status GOOD" 63 | fi 64 | echo "====================" 65 | 66 | } 67 | 68 | # Checks to see if logstash is processing logs between 1 sec wait period on all systems 69 | logstash_check () { 70 | echo 71 | echo "====================" 72 | echo "Checking logstash output" 73 | echo 74 | for salt_minion in `salt-run manage.up 2>/dev/null |awk '{print $2}'`; 75 | do 76 | 77 | start=`curl -s -XGET 'localhost:9600/_node/stats/events?pretty' |fgrep out |awk '{print $3}'|cut -d ',' -f1` 78 | sleep 1 79 | stop=`curl -s -XGET 'localhost:9600/_node/stats/events?pretty' |fgrep out |awk '{print $3}'|cut -d ',' -f1` 80 | 81 | if [ $start -eq $stop ] 82 | then 83 | echo "error" 84 | echo "send_email "ALERT-$salt_minion Logstash not processing logs"" 85 | else 86 | echo "$salt_minion is GOOD!" 87 | fi 88 | done 89 | 90 | 91 | echo 92 | echo "====================" 93 | 94 | #5 - Logstash - checks the logstash-plain.log for any Plugin errors. 95 | 96 | echo "Checking logstash for error messages" 97 | tail -n40 /var/log/logstash/logstash.log > Status_logs.txt 98 | grep -i -E 'A plugin had an unrecoverable error.' Status_logs.txt > parsed_result.txt 99 | if [ $? -eq 0 ] ; then 100 | echo "ERROR FOUND" 101 | send_email "ALERT-Holmes logstash error" 102 | else 103 | echo 104 | echo "Logs are fine !" 105 | fi 106 | 107 | } 108 | 109 | redius_check() { 110 | echo 111 | echo "====================" 112 | #CHECK REDIS QUEUE Alerts if over 500,000 113 | queue=`redis-cli LLEN logstash:redis|awk '{print $1}'` 114 | re='^[0-9]+$' 115 | echo "Checking Redis Queue" 116 | if ! [[ $queue =~ $re ]] ; then 117 | echo "REDDIS IS REALLY MESSED UP, Queue broke" 118 | send_email "ALERT-Holmes Redis Queue output error" 119 | else 120 | if [ $queue -gt 500000 ] ; then 121 | send_email "ALERT-Holmes Redis Queue than 500k" 122 | 123 | else 124 | echo "Redis Good Queue:" $queue 125 | fi 126 | fi 127 | 128 | } 129 | 130 | 131 | disk_check 132 | elastic_check 133 | logstash_check 134 | redius_check 135 | 136 | echo 137 | echo "====================================== SCRIPT SEQUENCE COMPLETE ========================================" 138 | echo 139 | 140 | rm -rf $tdir 141 | exit 0 142 | --------------------------------------------------------------------------------