You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8.3 KiB
8.3 KiB
brimr
Tools to Work with Brim and zqd
Description
Brim (https://github.com/brimsec/brim) enables efficient query operations on large packqet captures and log sources, such as Zeek. Tools are provided to with with Brim components, including the Brim zqd query back-end.
What’s Inside The Tin
The following functions are implemented:
brim_ast
: Turn a Brim ZQL query into an abstract syntax treebrim_host
: Retrieve the Brim host URLbrim_search_raw
: Post a ZQL query to the given Brim instance and retrieve results in raq ZJSON formatbrim_search
: Post a ZQL query to the given Brim instance and retrieve processed resultsbrim_spaces
: Retrieve active Brim spaces from the specified Brim instance
Installation
remotes::install_git("https://git.rud.is/hrbrmstr/brimr.git")
# or
remotes::install_gitlab("hrbrmstr/brimr")
# or
remotes::install_bitbucket("hrbrmstr/brimr")
NOTE: To use the ‘remotes’ install options you will need to have the {remotes} package installed.
Usage
library(brimr)
library(tibble)
# current version
packageVersion("brimr")
## [1] '0.1.0'
brim_spaces()
## # A tibble: 1 x 4
## id name data_path storage_kind
## * <chr> <chr> <chr> <chr>
## 1 sp_1p6pwLgtsESYBT… 2021-02-17-Trickbot-gtag-rob13-i… file:///Users/hrbrmstr/Library/Application%20Suppor… filestore
zql <- '_path=conn | count() by id.orig_h, id.resp_h, id.resp_p | sort id.orig_h, id.resp_h, id.resp_p'
cat(jsonlite::toJSON(jsonlite::fromJSON(brim_ast(zql)), pretty = TRUE))
## {
## "op": ["SequentialProc"],
## "procs": [
## {
## "op": "FilterProc",
## "filter": {
## "op": "CompareField",
## "comparator": "=",
## "field": {
## "op": "BinaryExpr",
## "operator": ".",
## "lhs": {
## "op": "RootRecord"
## },
## "rhs": {
## "op": "Identifier",
## "name": "_path"
## }
## },
## "value": {
## "op": "Literal",
## "type": "string",
## "value": "conn"
## }
## },
## "keys": {},
## "reducers": {},
## "fields": {}
## },
## {
## "op": "GroupByProc",
## "filter": {
## "field": {
## "lhs": {},
## "rhs": {}
## },
## "value": {}
## },
## "limit": 0,
## "keys": [
## {
## "op": "Assignment",
## "rhs": {
## "op": "BinaryExpr",
## "operator": ".",
## "lhs": {
## "op": "BinaryExpr",
## "operator": ".",
## "lhs": {
## "op": "RootRecord"
## },
## "rhs": {
## "op": "Identifier",
## "name": "id"
## }
## },
## "rhs": {
## "op": "Identifier",
## "name": "orig_h"
## }
## }
## },
## {
## "op": "Assignment",
## "rhs": {
## "op": "BinaryExpr",
## "operator": ".",
## "lhs": {
## "op": "BinaryExpr",
## "operator": ".",
## "lhs": {
## "op": "RootRecord"
## },
## "rhs": {
## "op": "Identifier",
## "name": "id"
## }
## },
## "rhs": {
## "op": "Identifier",
## "name": "resp_h"
## }
## }
## },
## {
## "op": "Assignment",
## "rhs": {
## "op": "BinaryExpr",
## "operator": ".",
## "lhs": {
## "op": "BinaryExpr",
## "operator": ".",
## "lhs": {
## "op": "RootRecord"
## },
## "rhs": {
## "op": "Identifier",
## "name": "id"
## }
## },
## "rhs": {
## "op": "Identifier",
## "name": "resp_p"
## }
## }
## }
## ],
## "reducers": [
## {
## "op": "Assignment",
## "rhs": {
## "op": "Reducer",
## "operator": "count"
## }
## }
## ],
## "fields": {}
## },
## {
## "op": "SortProc",
## "filter": {
## "field": {
## "lhs": {},
## "rhs": {}
## },
## "value": {}
## },
## "keys": {},
## "reducers": {},
## "fields": [
## {
## "op": "BinaryExpr",
## "operator": ".",
## "lhs": {
## "op": "BinaryExpr",
## "operator": ".",
## "lhs": {
## "op": "RootRecord"
## },
## "rhs": {
## "op": "Identifier",
## "name": "id"
## }
## },
## "rhs": {
## "op": "Identifier",
## "name": "orig_h"
## }
## },
## {
## "op": "BinaryExpr",
## "operator": ".",
## "lhs": {
## "op": "BinaryExpr",
## "operator": ".",
## "lhs": {
## "op": "RootRecord"
## },
## "rhs": {
## "op": "Identifier",
## "name": "id"
## }
## },
## "rhs": {
## "op": "Identifier",
## "name": "resp_h"
## }
## },
## {
## "op": "BinaryExpr",
## "operator": ".",
## "lhs": {
## "op": "BinaryExpr",
## "operator": ".",
## "lhs": {
## "op": "RootRecord"
## },
## "rhs": {
## "op": "Identifier",
## "name": "id"
## }
## },
## "rhs": {
## "op": "Identifier",
## "name": "resp_p"
## }
## }
## ],
## "sortdir": 1,
## "nullsfirst": false
## }
## ]
## }
space <- "2021-02-17-Trickbot-gtag-rob13-infection-in-AD-environment.pcap"
r <- brim_search(space, zql)
str(r, 2)
## List of 5
## $ :List of 2
## ..$ type : chr "TaskStart"
## ..$ task_id: int 0
## $ :List of 3
## ..$ type : chr "SearchRecords"
## ..$ channel_id: int 0
## ..$ records :'data.frame': 74 obs. of 4 variables:
## $ :List of 3
## ..$ type : chr "SearchEnd"
## ..$ channel_id: int 0
## ..$ reason : chr "eof"
## $ :List of 7
## ..$ type : chr "SearchStats"
## ..$ start_time :List of 2
## ..$ update_time :List of 2
## ..$ bytes_read : int 238052
## ..$ bytes_matched : int 54486
## ..$ records_read : int 1082
## ..$ records_matched: int 384
## $ :List of 2
## ..$ type : chr "TaskEnd"
## ..$ task_id: int 0
brimr Metrics
Lang | # Files | (%) | LoC | (%) | Blank lines | (%) | # Lines | (%) |
---|---|---|---|---|---|---|---|---|
R | 3 | 0.38 | 53 | 0.39 | 25 | 0.27 | 41 | 0.29 |
Rmd | 1 | 0.12 | 15 | 0.11 | 21 | 0.23 | 30 | 0.21 |
SUM | 4 | 0.50 | 68 | 0.50 | 46 | 0.50 | 71 | 0.50 |
clock Package Metrics for brimr
Code of Conduct
Please note that this project is released with a Contributor Code of Conduct. By participating in this project you agree to abide by its terms.