識別分隔符
$head -n 1 conn.log
#separator \x09
$echo -n -e 'x09'|hexdump -c
000000 \t
000001
使用分隔符
$awk '{print $12}' notice.log|tail
$awk -F '\t' '{print $12}' notice.log|tail
實現水平展示
$less conn.log
$less -S conn.log
列tags
$grep ^#fields conn.log|tr '\t' '\n'
$bro-cut ts id.orig_h id.orig_p id.resp_h id.resp_p proto<conn.log|head
$bro-cut ts -t id.orig_h id.orig_p id.resp_h id.resp_p proto<conn.log|head
$head -n 1000 conn.log|awk '$3=="10.100.234.25"'|bro-cut -d
$head conn.log|awk '/^#/'
$head -n 1000 conn.log|awk '/^#/ || $3=="10.100.234.25" '|bro-cut -d
使用cf 時間顯示切換
$tar zxf cf.tar.gz
$cd cf-1.2.5/
$configure && make && make install
$which cf
$du -h conn.log
$time bro-cut -d <conn.log > /dev/null
$time cf <conn.log> /dev/null
使用並行命令
$ls -l *.gz
$time zgrep 10.10.243.24 conn* >/dev/null
$time ls conn*|parallel "zgrep 10.100.243.24 {}" >/dev/null
$time gzcat conn*|awk '$3=="10.100.243.22" || $5=="10.100.243.22"' >/dev/null
$time ls conn*|parallel 'gzcat {}|awk '\''$3=="10.100.243.22" || $5=="10.100.243.22"'\''' >/dev/null
管理虛擬機
ubuntu vagrant vm
Manager&Proxy Worker Worker
$vagrant status
$vagrant ssh manager
#apt-get updatae
#git clone --recursive git://git.bro.org/bro
#make install
#ssh 10.1.1.20 "mkdir .ssh"
#scp //root/.ssh/id_rsa.pub 10.1.120:~/.ssh/authorized_key
broctl 的基礎命令
/usr/local/bro
node.cfg
進入 BroControl
>install
>exit
>check
#/usr/local/bro/bin/broctl start
#/usr/local/bro/bin/broctl status
#cat /usr/local/bro/logs/current/conn.log
$broctl
>check
>install
>start
>status
>restart
>stop
>top
>df
>exec
>netstats
q 退出
$broctl config|less
exec命令使用
exec
進入/usr/local目錄
cat scripts/hello.sh
#!/bin/bash
echo "Hello World!">/tmp/hello
進入/usr/local目錄
#cat /demo/hello.bro
event bro_init(){
local command=Exec::Command($cmd=fmt("/usr/local/scripts/hello.sh"));
when(local result=Exec::run(command)){
print fmt("done");
}
}
使用 awk
awk 'NR==FNR{a[$1]=NR; next} {
for(ip in a){
if($0~ip){
print >> "line_"a[ip]"_ip.txt"
}
}
}}' <(wget -O - "https://zeustracker.abuse.ch/blocklist.php?download=badips" 2>/dev/null |
grep -Ev "#|^ *$") http.log