Sumber Senarai Domain Hasad

Some of the more popular sinkhole lists include (in no particular order):

• www.MalwareDomains.com
• www.Malware.com.br
• www.MalwareDomainList.com
• www.MalwareURL.com
• www.SomeoneWhoCares.org
• mtc.sri.com
• www.MVPs.org
• www.UrlBlacklist.com (not free)

ref:   https://www.sans.org/blog/windows-dns-server-sinkhole-domains-tool/

ja3

 https://idsips.files.wordpress.com/2020/05/suricata-and-tls.pdf

pf_ring

In using pf_ring, we get access to a feature set that lowers the hit to CPU, in a variety of ways (pre-process, post-process, aligning threads to rings/buffers from/to the NIC and its buffers). It can do this in other ways too, with more or less, two additional feature sets, Flow Table and Zero Copy. Both of these cost money. While I walk you through installing and setting up features that enable FT, I will be staying away from a ZC build here. The FT allows you to skip over large bandwidth traffic flows, ZC uses unique features of our different methods of transmitting network traffic, and optimizes the path around the Kernel to reduce the impact of some seriously heavy data (10G+). As ZC requires very specific NICs and even though one of them is available on ESXi 6.7u3 (e1000e)

 https://www.nova-labs.net/suricata-6-with-pf_ring-on-ubuntu-18-04/

Elastic search wildcard

Elasticsearch Query DSL

{

  "query": {

    "bool": {

      "should": [

        {

          "wildcard": {

            "src_ip.keyword": "172.16.*"

          }

        },

        {

          "wildcard": {

            "src_ip.keyword": "10.*"

          }

        },

        {

          "wildcard": {

            "src_ip.keyword": "192.168.*"

          }

        }

      ],

      "minimum_should_match": 1

    }

  }

} 

SFP

SFP Port vs SFP Module 

SFP Port: slot on network device 

SFP Module: (or transceivers) to be insert in SFP Port 

SFP+  suport 10Gbps and 

QSFP+ 40Gbps 

 ref: https://www.trentonsystems.com/blog/what-is-an-sfp-port

Enable nested virtualization on ESXi

 For ESXi 5.1

Kaedah 1:

Kaedah 2: 

1. Cleanly shutdown your VIRL virtual machine
2. Open the .vmx file with a text editor like Notepad++ or Text Wrangler
3. Ensure this line is present and value set to TRUE
   • vhv.enable = "TRUE"

ref: https://learningnetwork.cisco.com/s/article/t-shoot-kvm-ok-your-cpu-does-not-support-kvm-extensions

Cara nak update data dalam Elastic

 Guna Kibana Dev's Tool

1- Create documents dalam elasticsearch

POST /coba-alfa/_doc/
{
    "id": 124,
    "name": "malware",
    "age": 26,
    "maklumat": {
        "tangan": 2,
        "warna": "Coklat",
        "tinggi": 170,
        "kepantasan": "rendah"
    }
}

2- update maklumat.kepantasan menjadi tinggi , hanya utk semua yg ada 2 maklumat.tangan

POST coba-*/_update_by_query

{

    "script" : {

      "source": "ctx._source.maklumat.kepantasan='tinggi';",

      "lang": "painless"  

    },

    "query": {

        "term" : {

            "maklumat.tangan": 2

        }

    }

}

ref: https://stackoverflow.com/questions/19563215/update-only-specific-field-value-in-elasticsearch

Rules of suricata

 good notes here

Suricata check config

list all effective config:

 suricata --dump-config

check rules in rules files:

suricata -T -S "rules/malware.rules"

notes on flow/flowbits:

https://suricata.readthedocs.io/en/latest/rules/flow-keywords.html

Nyahkod (decode) packet capture by ids

 Biasanya IDS akan simpan packet dalam bentuk base64.

Utk lihat packet dalam bentuk asal:

1) decode base64 ke format HEX (eg: https://cryptii.com/pipes/base64-to-hex)

2) Parse hex dan display dalam proper network layer (eg: https://hpd.gasmi.net/ ,  http://packetor.com/)

Eg:

https://cryptii.com/pipes/base64-to-hex

https://hpd.gasmi.net/

elastic: salin doc dari index asal ke index lain (reindex)

salin semua doc ke index baru: (destination tak semestinya belum wujud)

POST /_reindex
{
  "source": {
    "index": "twitter"
  },
  "dest": {
    "index": "new_twitter"
  }
}

salin doc tertentu ke index baru:

POST /_reindex
{
  "source": {
    "index": "twitter",
    "query": {
      "term": {
        "user": "kimchy"
      }
    }
  },
  "dest": {
    "index": "new_twitter"
  }
}

ref: 

1- https://stackoverflow.com/questions/25144034/how-to-copy-some-elasticsearch-data-to-a-new-index

2- https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-reindex.html