Tools to Work with Brim and zqd
Brim (https://github.com/brimsec/brim) enables efficient query operations on large packet captures and log sources, such as Zeek. Tools are provided to with with Brim components, including the Brim zqd query back-end.
The following functions are implemented:
brim_ast: Turn a Brim ZQL query into an abstract syntax treebrim_host: Retrieve the Brim host URLbrim_search_raw: Post a ZQL query to the given Brim instance and retrieve results in raq ZJSON formatbrim_search: Post a ZQL query to the given Brim instance and retrieve processed resultsbrim_spaces: Retrieve active Brim spaces from the specified Brim instancetidy_brim: Turn Brim/zqd search results into a data framezq_cmd: Execute a zq command line
remotes::install_git("https://git.rud.is/hrbrmstr/brimr.git")
# or
remotes::install_gitlab("hrbrmstr/brimr")
# or
remotes::install_bitbucket("hrbrmstr/brimr")
# or
remotes::install_github("hrbrmstr/brimr")NOTE: To use the ‘remotes’ install options you will need to have the {remotes} package installed.
library(brimr)
library(tibble)
# current version
packageVersion("brimr")
## [1] '0.1.0'brim_spaces()
## id name
## 1 sp_1p6pwLgtsESYBTHU9PL9fcl2iBn 2021-02-17-Trickbot-gtag-rob13-infection-in-AD-environment.pcap
## data_path storage_kind
## 1 file:///Users/hrbrmstr/Library/Application%20Support/Brim/data/spaces/sp_1p6pwLgtsESYBTHU9PL9fcl2iBn filestore# Z query to fetch Zeek connection data to create our network connection graph
zql1 <- '_path=conn | count() by id.orig_h, id.resp_h, id.resp_p | sort id.orig_h, id.resp_h, id.resp_p'
cat(
substr(jsonlite::toJSON(jsonlite::fromJSON(brim_ast(zql1)), pretty = TRUE), 1, 100), "..."
)
## {
## "op": ["SequentialProc"],
## "procs": [
## {
## "op": "FilterProc",
## "filter": {
## ...space <- "2021-02-17-Trickbot-gtag-rob13-infection-in-AD-environment.pcap"
r1 <- brim_search(space, zql1)
r1
## ZQL query took 0.0000 seconds; 384 records matched; 1,082 records read; 238,052 bytes read
(r1 <- as_tibble(tidy_brim(r1)))
## # A tibble: 74 x 4
## orig_h resp_h resp_p count
## <chr> <chr> <chr> <int>
## 1 10.2.17.2 10.2.17.101 49787 1
## 2 10.2.17.101 3.222.126.94 80 1
## 3 10.2.17.101 10.2.17.1 445 1
## 4 10.2.17.101 10.2.17.2 53 97
## 5 10.2.17.101 10.2.17.2 88 27
## 6 10.2.17.101 10.2.17.2 123 5
## 7 10.2.17.101 10.2.17.2 135 8
## 8 10.2.17.101 10.2.17.2 137 2
## 9 10.2.17.101 10.2.17.2 138 2
## 10 10.2.17.101 10.2.17.2 389 37
## # … with 64 more rows# Z query to fetch Suricata alerts including the count of alerts per source:destination
zql2 <- "event_type=alert | count() by src_ip, dest_ip, dest_port, alert.severity, alert.signature | sort src_ip, dest_ip, dest_port, alert.severity, alert.signature"
r2 <- brim_search(space, zql2)
r2
## ZQL query took 0.0000 seconds; 47 records matched; 870 records read; 238,660 bytes read
(r2 <- (as_tibble(tidy_brim(r2))))
## # A tibble: 35 x 6
## src_ip dest_ip dest_port severity signature count
## <chr> <chr> <int> <int> <chr> <int>
## 1 10.2.17.2 10.2.17.1… 49674 3 SURICATA Applayer Detect protocol only one direction 1
## 2 10.2.17.2 10.2.17.1… 49680 3 SURICATA Applayer Detect protocol only one direction 1
## 3 10.2.17.2 10.2.17.1… 49687 3 SURICATA Applayer Detect protocol only one direction 1
## 4 10.2.17.2 10.2.17.1… 49704 3 SURICATA Applayer Detect protocol only one direction 1
## 5 10.2.17.2 10.2.17.1… 49709 3 SURICATA Applayer Detect protocol only one direction 1
## 6 10.2.17.2 10.2.17.1… 49721 3 SURICATA Applayer Detect protocol only one direction 1
## 7 10.2.17.2 10.2.17.1… 50126 3 SURICATA Applayer Detect protocol only one direction 1
## 8 10.2.17.1… 3.222.126… 80 2 ET POLICY curl User-Agent Outbound 1
## 9 10.2.17.1… 36.95.27.… 443 1 ET HUNTING Suspicious POST with Common Windows Process Names - Possib… 1
## 10 10.2.17.1… 36.95.27.… 443 1 ET MALWARE Win32/Trickbot Data Exfiltration 1
## # … with 25 more rowslibrary(igraph)
library(ggraph)
library(tidyverse)
gdf <- count(r1, orig_h, resp_h, wt=count)
count(gdf, node = resp_h, wt=n, name = "in_degree") %>%
full_join(
count(gdf, node = orig_h, name = "out_degree")
) %>%
mutate_at(
vars(in_degree, out_degree),
replace_na, 1
) %>%
arrange(in_degree) -> vdf
g <- graph_from_data_frame(gdf, vertices = vdf)
ggraph(g, layout = "linear") +
geom_node_point(
aes(size = in_degree), shape = 21
) +
geom_edge_arc(
width = 0.125,
arrow = arrow(
length = unit(5, "pt"),
type = "closed"
)
)
zq_cmd(
c(
'"* | cut ts,id.orig_h,id.orig_p"', # note the quotes
system.file("logs", "conn.log.gz", package = "brimr")
)
)
## id.orig_h id.orig_p ts
## 1: 10.164.94.120 39681 2018-03-24T17:15:21.255387Z
## 2: 10.47.25.80 50817 2018-03-24T17:15:21.411148Z
## 3: 10.47.25.80 50817 2018-03-24T17:15:21.926018Z
## 4: 10.47.25.80 50813 2018-03-24T17:15:22.690601Z
## 5: 10.47.25.80 50813 2018-03-24T17:15:23.205187Z
## ---
## 988: 10.174.251.215 33003 2018-03-24T17:15:21.429238Z
## 989: 10.174.251.215 33003 2018-03-24T17:15:21.429315Z
## 990: 10.174.251.215 33003 2018-03-24T17:15:21.429479Z
## 991: 10.164.94.120 38265 2018-03-24T17:15:21.427375Z
## 992: 10.174.251.215 33003 2018-03-24T17:15:21.433306Z| Lang | # Files | (%) | LoC | (%) | Blank lines | (%) | # Lines | (%) |
|---|---|---|---|---|---|---|---|---|
| R | 5 | 0.42 | 180 | 0.39 | 71 | 0.33 | 86 | 0.32 |
| Rmd | 1 | 0.08 | 53 | 0.11 | 37 | 0.17 | 47 | 0.18 |
| SUM | 6 | 0.50 | 233 | 0.50 | 108 | 0.50 | 133 | 0.50 |
clock Package Metrics for brimr
Please note that this project is released with a Contributor Code of Conduct. By participating in this project you agree to abide by its terms.