Cyber Watcher Scripts - sofwerx/mad-jack GitHub Wiki
Safehouse AP: connected devices
{
"search": {
"request": {
"index": [
"<logstash-{now/d}>"
],
"body": {
"sort": [
{
"@timestamp": {
"order": "desc"
}
}
],
"query": {
"bool": {
"must": [
{
"term": {
"host": "192.168.0.21"
}
},
{
"match": {
"message": "WPA"
}
},
{
"query_string": {
"query": "message:\"10:f1:f2:85:90:63\" OR message:\"b4:f1:da:eb:51:2f\" OR message:\"b4:f1:da:ec:99:10\""
}
}
],
"filter": [
{
"range": {
"@timestamp": {
"gte": "now-15s",
"lt": "now"
}
}
}
]
}
}
}
}
}
}{
"search": {
"request": {
"index": [
"<logstash-{now/d}>"
],
"body": {
"query": {
"bool": {
"must": [
{
"term": {
"host": "192.168.0.21"
}
},
{
"match": {
"message": "sshd"
}
}
],
"filter": [
{
"range": {
"@timestamp": {
"gte": "now-5s",
"lt": "now"
}
}
}
]
}
}
}
}
}
}{
"search": {
"request": {
"index": [
"<pcap-{now/d}>"
],
"body": {
"query": {
"bool": {
"must": [
{
"match": {
"layers.ip.ip_ip_dst": "192.168.0.164"
}
}
],
"must_not": [
{
"match": {
"layers.ip.ip_ip_src_host": "192.168.0.109"
}
},
{
"match": {
"layers.arp.arp_arp_src_proto_ipv4": "192.168.0.109"
}
},
{
"match": {
"layers.ip.ip_ip_src_host": "192.168.0.166"
}
},
{
"match": {
"layers.arp.arp_arp_src_proto_ipv4": "192.168.0.166"
}
}
],
"filter": [
{
"range": {
"@timestamp": {
"gte": "now-5s",
"lt": "now"
}
}
}
]
}
}
}
}
}
}