DNS Sinkhole Script updates (26 Sep 2012)
DNS Sinkhole Gold Paper (SANS GCIH)
DNS Sinkhole SANSFire Presentation (2011)
Log, Log, Log Everything Remotely (BSides Ottawa 2014)
Tips Tricks To Achieve Ludicrous Speed (RSA Global Summit 2014)
Metadata Is Like Gold, Tips Tricks To Mine It (RSA Charge 2017)
Scripting with RSA NetWitness Console and Automation Via API & SDK (RSA Charge 2019)
Note: Before using netwitness_sdk.sh script, edit and configure with the correct IPs, user account and password. I use custom accounts for this. See RSA Charge 2019 presentation. It requires nwsdk_csv.py
RSA Charge 2019 Shared netwitness_sdk.sh (Update Jan 2022) & dnsmeta.sh Script with output Example
This script is used to parse the Snort rules to load on a NetWitness PacketDecoder. See sans.edu Internet Storm Center article how to use it available here. Download the script parsing_snort_sid.sh here.
In order to build and load the ASN list into any decoder, follow the instructions at the beginning of the Perl script. Download the zip file which contains the XML and the Perl script to build the feed here.