Brim-queries
Brim Queries
Brim is an open source desktop application for security and network specialists. Brim makes it easy to search and analyze data from packet captures, like those created by Wireshark, and structured logs, especially from the Zeek network analysis framework
Click here to learn about Brim
| Description | Commands |
|---|---|
| Activity Overview | count() by _path | sort -r |
| Unique DNS Queries | _path=="dns" | count() by query | sort -r |
| Windows Networking Activity | _path matches smb* OR _path=="dce_rpc" |
| HTTP Requests | _path=="http" | cut id.orig_h, id.resp_h, id.resp_p, method, host, uri | uniq -c |
| Showing all http requests | _path=="http" | count() by uri | sort -r |
| Unique network Connections | _path=="conn" | cut id.orig_h, id.resp_p, id.resp_h | sort | uniq |
| Connection Received Data | _path=="conn" | put total_bytes := orig_bytes + resp_bytes | sort -r total_bytes | cut uid, id, orig_bytes, resp_bytes, total_bytes |
| File Activity | filename!=null | cut _path, tx_hosts, rx_hosts, conn_uids, mime_type, filename, md5, sha1 |
| HTTP Post Requests | method=="POST" | cut ts, uid, id, method, uri, status_code |
| Show IP subnets | _path=="conn" | put classnet := network_of(id.resp_h) | cut classnet | count() by classnet |
| Suricata Alerts by Category | event_type=="alert" | count() by alert.severity,alert.category | sort count |
| Suricata Alerts by Source and Destination IP | event_type=="alert" | alerts := union(alert.category) by src_ip, dest_ip |
| Suricata Alerts by Subnet | event_type=="alert" | alerts := union(alert.category) by network_of(dest_ip) |
| Suricata Alerts by Signature | event_type=="alert" | cut alert.signature | sort -r | uniq -c | sort -r count |
| Showing only SMB and DCE/RPC activity | _path==dce_rpc OR _path==smb_mapping OR _path==smb_files |