sethhall’s gists

sethhall / notepad_cache.spicy

Last active August 26, 2024 19:23

Windows Notepad Cache file parser written in Spicy.

	module Notepad;

	import spicy;

	# Count the number of invalid checksums in the file to report how many were invalid.
	global invalid_checksums: uint64 = 0;

	# This doesn't support 128bit values... only 64bit. :(
	type uLEB128 = unit {
	var xresult: uint64 = 0;

sethhall / notepad_cache.hexpat

Last active August 25, 2024 16:52

Windows Notepad Cache file parser written in the pattern language for the ImHex hex editor

	// Thanks to AbdulRhman Alfaifi's blog post that describes the format!
	// https://u0041.co/posts/articals/exploring-windows-artifacts-notepad-files/

	import type.leb128;
	import type.time;
	import type.magic;
	import std.time;

	using uLEB128 = type::uLEB128;

sethhall / stl.spicy

Created August 9, 2024 15:32

Binary STL parser in spicy

	module STL;
	import spicy;

	%byte-order = spicy::ByteOrder::Little;

	public type File = unit {
	header : bytes &size=80;
	total_facets : uint32;
	facets : Facet[self.total_facets];
	};

sethhall / internet.spicy

Created July 3, 2024 14:19

Internet protocols implemented in spicy

	## This is Johanna Amann's prototype code that is updated to work with
	## Spicy edge as of 7/2/2024.

	module internet;

	import spicy;

	type DataLinkType = enum {
	DLT_NULL = 0, # BSD loopback encapsulation
	DLT_EN10MB = 1, # Ethernet (10Mb)

sethhall / json-parse.spicy

Last active July 7, 2024 18:37

JSON parser in Spicy

	module JSON;

	import spicy;

	# This supports jsonc (json with comments)
	%skip = /[ \t\r\n](\/\/[^\n])[ \t\r\n]/;

	public type File = unit {
	values: JSONValue[];
	};

sethhall / corelight-logs.schema.json

Created February 14, 2022 14:45

Corelight Software Sensor Logs JSON Schema

	{
	"$schema": "http://json-schema.org/draft-07/schema#",
	"$id": "https://corelight.com/software-sensor.schema.json",
	"title": "Corelight Logs",
	"description": "Definition of all of the potential logs for this installation",
	"definitions": {
	"time": {"type": "string", "pattern": "[0-9]{4}-[0-1][0-9]-[0-3][0-9]T[0-2][0-9]:[0-5][0-9]:[0-5][0-9]\\.?[0-9]{0,6}Z"},
	"port": {"type": "integer", "minimum": 0, "maximum": 65535},
	"count": {"type": "integer", "minimum": 0, "maximum": 18446744073709551615},
	"int": {"type": "integer", "minimum": -9223372036854775807, "maximum": 9223372036854775807},

sethhall / bu-everywhere.zeek

Created December 15, 2020 21:00

Business Unit everywhere

	##! Add Business Unit to all logs with an "id" field.

	module BusinessUnit;

	export {
	option BusinessUnit::networks: table[subnet] of string = set();
	}

	redef record conn_id += {
	## The business unit seen as the connection originator.

sethhall / gist:b23ebe5e73c9585fbbdff3628f53b6ae

Last active December 9, 2020 03:46

A "next interval" function from Justin Azoff

	function next_interval(i: interval): interval
	{
	local now = current_time();
	local ii = double_to_count(interval_to_double(i));
	local sofar = double_to_count(time_to_double(now)) % ii;
	local togo = ii - sofar;
	local dur = double_to_interval(togo);
	return dur;
	}

sethhall / mandelbrot.zeek

Created September 17, 2020 19:51

Mandelbrot fractal set! Probably want the script compiler for this one...

	const stdout = open("/dev/stdout") &raw_output;

	const WIDTH = 80;
	const HEIGHT = 25;

	const characters = vector(" ", ".", ":", "-", "#", "o", "", ">");#, ")", #, "\|", "&", "I", "H", "%", "", "#");
	function CalculateRow(y: double, factor: double, shiftRight: double)
	{
	local output: vector of string = vector();
	local XCenter = -0.45;

sethhall / http-more-files-names.bro

Created August 23, 2018 14:35

Get some extra file names from http


	redef record HTTP::Info += {
	potential_fname: string &optional;
	};

	event http_request(c: connection, method: string, original_URI: string,
	unescaped_URI: string, version: string) &priority=5
	{
	# Get rid of uri arguments
	local path = split_string(c$http$uri, /\?/)[0];

Seth Hall sethhall