Brim is an application to search and analyze super-structured data.
brimsample.pcap
Filters
_path=="http""example.com"id.resp_p==80|cutts,host,id.resp_p,uri|sortts# Find UserAgent in HTTP requestsuser_agent|cut_path,id.orig_h,id.resp_h,method,host,user_agent
Snort
Snort is a network intrusion detection system (NIDS) and intrusion prevention system (NIPS).
# Validate the configuration# -c: Identify the config file# -T: Test the configurationsudosnort-c/etc/snort/snort.conf-T# Sniffer mode# -d: Dump packet data# -e: Link-layer header grabbing# -v: Verbose modesudosnort-dev# -X: Full packet dump modesudosnort-X# Logger mode# -l: Logger modesudosnort-dev-l.# -K ASCII: ASCII mode sudosnort-dev-KASCII-l.# IDS/IPS mode# -A full: full alert modesudosnort-c/etc/snort/snort.conf-Afull# Using local rulessudosnort-c/etc/snort/rules/local.rules-Afull# -q: Quiet mode# --daq: Data aquisition# -i: Listen on interface <if>sudosnort-clocal.rules-q--daqafpacket-ieth0:eth1-Afull# Wait until packets receiving, the file will be dumped.# Read generated logssudosnort-rsnort.log.xxxxxxxx# Filterssudosnort-rsnort.log.xxxxxxxx-Xsudosnort-rsnort.log.xxxxxxxxtcpsudosnort-rsnort.log.xxxxxxxx'udp and port 53'# Investigate pcap file# -n: The first N packetssudosnort-c/etc/snort/snort.conf-q-rexample.pcap-Afull-n10# --pcap-list: Multiple pcap filessudosnort-c/etc/snort/snort.conf-q--pcap-list="example.pcap example2.pcap"-Afull-n10
Modify rules
We can edit /etc/snort/rules/local.rules or our custom local.rules in another directory.