Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Zeek:
- https://www.zeek.org/download/index.html
- SEC:
- http://simple-evcorr.github.io/
- Sendemail
- https://github.com/mogaal/sendemail
- #####sec#####
- startup command:
- /usr/local/bin/sec --conf=/etc/sec.conf --input=/<pathtozeek>/logs/current/dce_rpc.log --tail --detach
- sec.conf:
- #whitelist:
- type = single
- ptype = regexp
- pattern = ip1|ip2|ip3
- desc = ignores
- action = none
- type = SingleWithThreshold
- ptype = regexp
- pattern = SamrGetMembersInAlias|NetrSessionEnum|ChangeServiceConfig2A|NetrWkstaUserEnum|BaseRegQueryInfoKey|OpenUsers
- desc = Recon
- action = pipe '%s' /usr/local/bin/sendEmail -o tls=no -f from@example.com -t to@example.com -m "$0 " -u "Possible Internal Recon Attempt" -s mailhost
- window = 60
- thresh = 1
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement