From 6d0bb45fe41381dfcb1cbf858436ea702656219d Mon Sep 17 00:00:00 2001 From: TKE Date: Mon, 4 May 2020 15:08:54 +0200 Subject: [PATCH 1/4] Convert probabilty.py to python3 --- probability.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/probability.py b/probability.py index c2cd9cc..f846027 100644 --- a/probability.py +++ b/probability.py @@ -15,13 +15,13 @@ def main(): employees.append(0) count = 0 - for i in xrange(1, 1000001): + for i in range(1, 1000001): temp = employees[:] shuffle(temp) if Counter(temp[0:11])[1] == 4: count += 1 - print count / 1000000. + print(count / 1000000.) if __name__ == '__main__': From 4dbcc5ef76256f3f53ba35d208afa4a798d1db16 Mon Sep 17 00:00:00 2001 From: TKE Date: Mon, 4 May 2020 15:10:10 +0200 Subject: [PATCH 2/4] Remove imapy.py from repo imapy.py was moved to its own repo for future development --- imapy.py | 194 ------------------------------------------------------- 1 file changed, 194 deletions(-) delete mode 100755 imapy.py diff --git a/imapy.py b/imapy.py deleted file mode 100755 index b466058..0000000 --- a/imapy.py +++ /dev/null @@ -1,194 +0,0 @@ -import imaplib, email -from pprint import pprint as pp -from email.header import decode_header -import re -import os -import time -from configparser import ConfigParser -from cursesmenu import * -from cursesmenu.items import * -import dialog -config_file_path=os.path.join(os.path.expanduser('~'),".imap_virus_marvin.ini") -dialog=dialog.Dialog() -dialog.set_background_title("IMAP-Mail-Renamer") -marvin_pattern=re.compile('MARVIN\d{14}_') -marvin_candidates=re.compile('(?:[mM][aA][rR][vV][iI][nN].{0,3})?(\d{14})') - -def edit(num): - pass - -def get_config(): - if not os.path.isfile(config_file_path): - config_instance = ConfigParser() - config_instance["CREDENTIALS"] = { - "username": "virus-user", - "password": "whambamBW" - } - - config_instance["SERVER"] = { - "host": "mail.server.dom", - "port": 993, - "mailbox": "INBOX" - } - with open(config_file_path, 'w') as conf: - config_instance.write(conf) - print("No Config found!") - print("Example Config written to {}".format(config_file_path)) - print("Please Edit and Repeat") - exit(1) - else: - config_instance = ConfigParser() - config_instance.read(config_file_path) - if config_instance["CREDENTIALS"]["password"]=="whambamBW": - print("Looks like you haven't changed the default config") - print("Example Config written to {}".format(config_file_path)) - print("Please Edit and Repeat") - exit(1) - else: - return config_instance - -def get_header(eml, string): - a=email.header.decode_header(eml[string]) - ergebnisse=[] - for eintrag in a: - ergebnisse.append(force_decode(eintrag[0])) - return ergebnisse - - - -def force_decode(string, codecs=['utf8', 'cp1252']): - if isinstance(string, str): - return string - for i in codecs: - try: - return string.decode(i) - except UnicodeDecodeError: - pass - raise Exception("Could not decode") - -def decode(data): - if isinstance(data,bytes): - data=force_decode(data) - tmp=decode_header(data) - res="" - for part in tmp: - if part[1]==None: - if isinstance(part[0],str): - res+= part[0] - else: - try: - res+= part[0].decode('ascii') - except: - print(part[0]) - else: - res+= part[0].decode(part[1]) - return "".join(res.split()) - -def retrieve(num,field): - global im - res, data = im.fetch(num,"BODY.PEEK[HEADER.FIELDS ({})]".format(field)) - x,y = data[0] - y=force_decode(y) - y=y.split(":",1) - y=y[1] - return decode(y) - -def get_subject(num): - global im - # res, data2 = im.fetch(num,'BODY.PEEK[HEADER.FIELDS (FROM)]') - y=retrieve(num,"SUBJECT") - z=retrieve(num,"FROM") - return "{} von <{}>".format(y,z) - -def get_mail(num): - global im - res, data = im.fetch(num,'(RFC822)') - try: - eml=email.message_from_bytes(data[0][1]) - return eml - except: - return None - -def delete_mail(num): - global im - im.store(num, '+FLAGS', '\\Deleted') - im.expunge() - -def search_mails(key,value): - global im - _, nums = im.search(None,key,'"{}"'.format(value)) - return nums[0].split() - -def print_mail(num): - eml=get_mail(num) - dialogit(str(eml)) - -def scan_for_marvins(eml): - texttosearch="\n".join(get_header(eml,'Subject')) - for part in eml.walk(): - if 'text/plain' == part.get_content_type(): - texttosearch+="\n"+force_decode(part.get_payload(decode=True)) - results=marvin_candidates.findall(texttosearch) - ergebnisse=[] - for x in results: - if x not in ergebnisse: - ergebnisse.append(x) - return ergebnisse - -def edit_mail(num): - global im - global config - eml=get_mail(num) - old_subject=get_header(eml,'Subject')[0] - results=scan_for_marvins(eml) - suggesttext="Found {} possible marvins".format(len(results)) - suggesttext+="\n" - suggesttext+="\n".join(results) - if len(results)>0: - suggested_subject="MARVIN#{}_{}".format(results[0],old_subject) - else: - suggested_subject="MARVIN#2020xxxx75xxxx_{}".format(old_subject) - action,new_subject=dialog.inputbox(suggesttext,init=suggested_subject,height=30,width=110) - print(action) - time.sleep(2) - if action == "ok": - eml.replace_header('Subject',new_subject) - c,d = im.append('INBOX','', imaplib.Time2Internaldate(time.time()),str(eml).encode('utf-8')) - if "OK" in c: - delete_mail(num) - -def quit(): - exit(0) - -def dialogit(text): - dialog.scrollbox(text,height=30,width=110) - -def make_choice(): - global config - global im - config=get_config() - im=imaplib.IMAP4_SSL(config["SERVER"]["host"],config["SERVER"]["port"]) - im.login(config["CREDENTIALS"]["username"],config["CREDENTIALS"]["password"]) - im.select(config["SERVER"]["mailbox"]) - - # Create the menu - menu = CursesMenu("Mails - INBOX", "0 - 10") - typ, nums = im.search(None, 'ALL') - for n in nums[0].split(): - subject_line=get_subject(n) - if not marvin_pattern.match(subject_line): - function_item = FunctionItem(subject_line, edit_mail , [n] ,should_exit=True) - menu.append_item(function_item) - - menu.show() - im.close() - im.logout() - -def main(): - make_choice() - - - - -if __name__ == "__main__": - main() From a35762112de4f99e497854933be081016cd5b23d Mon Sep 17 00:00:00 2001 From: TKE Date: Mon, 4 May 2020 15:13:35 +0200 Subject: [PATCH 3/4] Update shell-aliases to include bindiff and improbe avscan --- shell_aliases | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/shell_aliases b/shell_aliases index 5335122..cff7c2c 100644 --- a/shell_aliases +++ b/shell_aliases @@ -24,6 +24,7 @@ alias remnux_thug='sudo docker run --rm -it --dns=192.168.130.1 -v /var/log/dock alias remnux_viper='docker run --rm -it --dns=192.168.130.1 -v ${workdir-`pwd`}:/home/nonroot/workdir remnux/viper bash' alias remnux_vol='docker run --rm -it -v ${workdir-`pwd`}:/home/nonroot/memdumps remnux/volatility bash' alias rot13='tr "abcdefghijklmnopqrstuvwxyz" "zyxwvutsrqponmlkjihgfedcba"' -function avscan(){ av="${1:-kaspersky}"; [[ "${av}" -eq "update" ]] && (docker pull tabledevil/kaspersky;docker pull tabledevil/sep;docker pull tabledevil/clamav) || dritpwro "tabledevil/${av}" scan ;} +function bindiff() { cmp -l "${1}" "${2}" | gawk '{printf "%s,%02X,%02X\n",$1,strtonum(0$2),strtonum(0$3) }' ; } +function avscan(){ av="${1:-kaspersky}" ; if [ "${av}" == "update" ] ; then ( docker pull tabledevil/kaspersky ; docker pull tabledevil/sep ; docker pull tabledevil/clamav) ; elif [[ $# -eq 2 ]] ; then dritpwro "tabledevil/${av}" "${2}" ; else dritpwro --network=none "tabledevil/${av}" scan ; fi ; } function dockerfa() { [[ $# -eq 0 ]] && wpd=$(readlink -f . ) || wpd=$(readlink -f "${1}"); docker run -it --rm -v "${wpd}":/data tabledevil/file-analysis;} function docker_killall() { docker rm $(docker stop $(docker ps -a -q --filter ancestor="${1}" --format="{{.ID}}")) ; } From ab998caced5b25ca9c935c6426803a1078263de7 Mon Sep 17 00:00:00 2001 From: TKE Date: Mon, 4 May 2020 15:17:48 +0200 Subject: [PATCH 4/4] Add .visidatarc template containing symantec-log functions --- visidatarc | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 visidatarc diff --git a/visidatarc b/visidatarc new file mode 100644 index 0000000..700a180 --- /dev/null +++ b/visidatarc @@ -0,0 +1,61 @@ +#copy or link this file to ~/.visidatarc + +from datetime import datetime + +#sym-ts = hexNcoded NT-Timestamp = Nanoseconds since 01.01.1601 +def sym_time(val): + a=int(val,16) #decode hex + b=(a / 10000000) - 11644473600 #convert to seconds and subtract offset to 01.01.1970 + return datetime.fromtimestamp(b) + +def sym_id(val): + event_ids={ + "2" : "Scan Stopped", + "3" : "Scan Started", + "4" : "Definition File Sent To Server", + "5" : "Virus Found", + "6" : "Scan Omission", + "7" : "Definition File Loaded", + "10" : "Checksum", + "11" : "Auto-Protect", + "12" : "Configuration Changed", + "13" : "Symantec AntiVirus Shutdown", + "14" : "Symantec AntiVirus Startup", + "16" : "Definition File Download", + "17" : "Scan Action Auto-Changed", + "18" : "Sent To Quarantine Server", + "19" : "Delivered To Symantec Security Response", + "20" : "Backup Restore Error", + "21" : "Scan Aborted", + "22" : "Load Error", + "23" : "Symantec AntiVirus Auto-Protect Loaded", + "24" : "Symantec AntiVirus Auto-Protect Unloaded", + "26" : "Scan Delayed", + "27" : "Scan Re-started", + "34" : "Log Forwarding Error", + "39" : "Definitions Rollback", + "40" : "Definitions Unprotected", + "41" : "Auto-Protect Error", + "42" : "Configuration Error", + "45" : "SymProtect Action", + "46" : "Detection Start", + "47" : "Detection Action", + "48" : "Pending Remediation Action", + "49" : "Failed Remediation Action", + "50" : "Successful Remediation Action", + "51" : "Detection Finish", + "65" : "Scan Stopped", + "66" : "Scan Started", + "71" : "Threat Now Whitelisted", + "72" : "Interesting Process Found Start", + "73" : "SONAR engine load error", + "74" : "SONAR definitions load error", + "75" : "Interesting Process Found Finish", + "76" : "SONAR operating system not supported", + "77" : "SONAR Detected Threat Now Known", + "78" : "SONAR engine is disabled", + "79" : "SONAR engine is enabled", + "80" : "Definition load failed", + "81" : "Cache server error", + "82" : "Reputation check timed out"} + return event_ids[val]