Skip to main content

Brim-queries

Brim Queries

Brim is an open source desktop application for security and network specialists. Brim makes it easy to search and analyze data from packet captures, like those created by Wireshark, and structured logs, especially from the Zeek network analysis framework

Click here to learn about Brim

DescriptionCommands
Activity Overviewcount() by _path | sort -r
Unique DNS Queries_path=="dns" | count() by query | sort -r
Windows Networking Activity_path matches smb* OR _path=="dce_rpc"
HTTP Requests_path=="http" | cut id.orig_h, id.resp_h, id.resp_p, method, host, uri | uniq -c
Showing all http requests_path=="http" | count() by uri | sort -r
Unique network Connections_path=="conn" | cut id.orig_h, id.resp_p, id.resp_h | sort | uniq
Connection Received Data_path=="conn" | put total_bytes := orig_bytes + resp_bytes | sort -r total_bytes | cut uid, id, orig_bytes, resp_bytes, total_bytes
File Activityfilename!=null | cut _path, tx_hosts, rx_hosts, conn_uids, mime_type, filename, md5, sha1
HTTP Post Requestsmethod=="POST" | cut ts, uid, id, method, uri, status_code
Show IP subnets_path=="conn" | put classnet := network_of(id.resp_h) | cut classnet | count() by classnet
Suricata Alerts by Categoryevent_type=="alert" | count() by alert.severity,alert.category | sort count
Suricata Alerts by Source and Destination IPevent_type=="alert" | alerts := union(alert.category) by src_ip, dest_ip
Suricata Alerts by Subnetevent_type=="alert" | alerts := union(alert.category) by network_of(dest_ip)
Suricata Alerts by Signatureevent_type=="alert" | cut alert.signature | sort -r | uniq -c | sort -r count
Showing only SMB and DCE/RPC activity_path==dce_rpc OR _path==smb_mapping OR _path==smb_files