by2 1.0.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/.gitignore +20 -0
- data/Gemfile +4 -0
- data/LICENSE.txt +22 -0
- data/README.md +50 -0
- data/Rakefile +98 -0
- data/bin/by2 +16 -0
- data/by2.gemspec +32 -0
- data/config/database.yml.example +11 -0
- data/config/setup.sql +9 -0
- data/db/migrate/20140205014806_init_db.rb +147 -0
- data/db/schema.rb +160 -0
- data/lib/by2.rb +69 -0
- data/lib/by2/client.rb +109 -0
- data/lib/by2/config_loader.rb +34 -0
- data/lib/by2/ext/active_record.rb +105 -0
- data/lib/by2/models.rb +10 -0
- data/lib/by2/models/event.rb +50 -0
- data/lib/by2/models/icmphdr.rb +10 -0
- data/lib/by2/models/iphdr.rb +38 -0
- data/lib/by2/models/payload.rb +16 -0
- data/lib/by2/models/tcphdr.rb +30 -0
- data/lib/by2/models/udphdr.rb +30 -0
- data/lib/by2/options.rb +77 -0
- data/lib/by2/utils.rb +22 -0
- data/lib/by2/version.rb +3 -0
- data/man/by2.1 +105 -0
- data/man/by2.1.ronn +98 -0
- data/man/by2.1.txt +107 -0
- data/spec/by2/client_spec.rb +157 -0
- data/spec/by2/models/event_spec.rb +14 -0
- data/spec/by2/options_spec.rb +107 -0
- data/spec/by2/utils_spec.rb +19 -0
- data/spec/fixtures/data.yml +19 -0
- data/spec/fixtures/event.yml +36 -0
- data/spec/fixtures/icmphdr.yml +7 -0
- data/spec/fixtures/iphdr.yml +108 -0
- data/spec/fixtures/tcphdr.yml +55 -0
- data/spec/fixtures/udphdr.yml +7 -0
- data/spec/spec_helper.rb +55 -0
- metadata +235 -0
@@ -0,0 +1,30 @@
|
|
1
|
+
module By2
|
2
|
+
module Models
|
3
|
+
class Tcphdr < ActiveRecord::Base
|
4
|
+
self.table_name = 'tcphdr'
|
5
|
+
self.primary_keys = :sid, :cid
|
6
|
+
|
7
|
+
belongs_to :event, :foreign_key => [:sid, :cid]
|
8
|
+
|
9
|
+
def self.src_or_dst_port(port)
|
10
|
+
where("tcphdr.tcp_sport = ? or tcphdr.tcp_dport = ?", port, port)
|
11
|
+
end
|
12
|
+
|
13
|
+
def self.src_port(port)
|
14
|
+
where("tcphdr.tcp_sport = ?", port)
|
15
|
+
end
|
16
|
+
|
17
|
+
def self.dst_port(port)
|
18
|
+
where("tcphdr.tcp_dport = ?", port)
|
19
|
+
end
|
20
|
+
|
21
|
+
def dport
|
22
|
+
tcp_dport
|
23
|
+
end
|
24
|
+
|
25
|
+
def sport
|
26
|
+
tcp_sport
|
27
|
+
end
|
28
|
+
end
|
29
|
+
end
|
30
|
+
end
|
@@ -0,0 +1,30 @@
|
|
1
|
+
module By2
|
2
|
+
module Models
|
3
|
+
class Udphdr < ActiveRecord::Base
|
4
|
+
self.table_name = 'udphdr'
|
5
|
+
self.primary_keys = :sid, :cid
|
6
|
+
|
7
|
+
belongs_to :event, :foreign_key => [:sid, :cid]
|
8
|
+
|
9
|
+
def self.src_or_dst_port(port)
|
10
|
+
where("udphdr.udp_sport = ? or udphdr.udp_dport = ?", port, port)
|
11
|
+
end
|
12
|
+
|
13
|
+
def self.src_port(port)
|
14
|
+
where("udphdr.udp_sport = ?", port)
|
15
|
+
end
|
16
|
+
|
17
|
+
def self.dst_port(port)
|
18
|
+
where("udphdr.udp_dport = ?", port)
|
19
|
+
end
|
20
|
+
|
21
|
+
def dport
|
22
|
+
udp_dport
|
23
|
+
end
|
24
|
+
|
25
|
+
def sport
|
26
|
+
udp_sport
|
27
|
+
end
|
28
|
+
end
|
29
|
+
end
|
30
|
+
end
|
data/lib/by2/options.rb
ADDED
@@ -0,0 +1,77 @@
|
|
1
|
+
module By2
|
2
|
+
class Options
|
3
|
+
OptionsError = Class.new(RuntimeError)
|
4
|
+
|
5
|
+
def self.parse(argv)
|
6
|
+
options = { start_date: 2.weeks.ago }
|
7
|
+
req_options = {}
|
8
|
+
|
9
|
+
opts = OptionParser.new do |x|
|
10
|
+
x.banner = "Usage: by2 [options]"
|
11
|
+
|
12
|
+
x.separator ""
|
13
|
+
x.separator "Required options (at least one is required):"
|
14
|
+
|
15
|
+
x.on("-i IP", String, "source or destination ip w/optional port") do |ip|
|
16
|
+
req_options[:ip], req_options[:port] = ip.split(":")
|
17
|
+
end
|
18
|
+
|
19
|
+
x.on("-s SRC_IP", String, "source ip w/optional port") do |ip|
|
20
|
+
req_options[:src_ip], req_options[:src_port] = ip.split(":")
|
21
|
+
end
|
22
|
+
|
23
|
+
x.on("-d DST_IP", String, "destination ip w/optional port") do |ip|
|
24
|
+
req_options[:dst_ip], req_options[:dst_port] = ip.split(":")
|
25
|
+
end
|
26
|
+
|
27
|
+
x.on("-m DUMP_STR", String, "dump string: \"src_ip:src_port -> dst_ip:dst_port\"") do |ips|
|
28
|
+
src_ip, dst_ip = ips.split("->")
|
29
|
+
req_options[:src_ip], req_options[:src_port] = src_ip.strip.split(":")
|
30
|
+
req_options[:dst_ip], req_options[:dst_port] = dst_ip.strip.split(":")
|
31
|
+
end
|
32
|
+
|
33
|
+
x.on("-t DATE", String, "date (yyyy-mm-dd)") do |date|
|
34
|
+
if date.include?(":")
|
35
|
+
req_options[:start_date], req_options[:end_date] = date.split(":")
|
36
|
+
else
|
37
|
+
req_options[:date] = date
|
38
|
+
options.delete(:start_date)
|
39
|
+
end
|
40
|
+
end
|
41
|
+
|
42
|
+
|
43
|
+
x.separator ""
|
44
|
+
x.separator "Additional options:"
|
45
|
+
|
46
|
+
x.on("-l LIMIT", Integer, "limit number of returned records") do |l|
|
47
|
+
options[:limit] = l
|
48
|
+
end
|
49
|
+
|
50
|
+
x.on("-D", TrueClass, "debug flag") do
|
51
|
+
options[:debug] = true
|
52
|
+
end
|
53
|
+
|
54
|
+
x.on("-C", TrueClass, "only print number of records found") do
|
55
|
+
options[:count] = true
|
56
|
+
end
|
57
|
+
|
58
|
+
x.on("-h", "Show this message") do
|
59
|
+
$stdout.puts(opts); exit
|
60
|
+
end
|
61
|
+
|
62
|
+
x.on("-H", "Show man page") do
|
63
|
+
$stdout.puts(File.read("#{::By2.root}/man/by2.1.txt")); exit
|
64
|
+
end
|
65
|
+
end
|
66
|
+
|
67
|
+
opts.parse!(argv)
|
68
|
+
|
69
|
+
raise OptionsError if req_options.empty?
|
70
|
+
|
71
|
+
options.merge(req_options)
|
72
|
+
rescue OptionParser::ParseError, OptionsError => err
|
73
|
+
raise OptionsError.new(opts) if err.is_a?(OptionsError)
|
74
|
+
raise OptionsError.new(err)
|
75
|
+
end
|
76
|
+
end
|
77
|
+
end
|
data/lib/by2/utils.rb
ADDED
@@ -0,0 +1,22 @@
|
|
1
|
+
require 'ipaddr'
|
2
|
+
|
3
|
+
|
4
|
+
module By2
|
5
|
+
module Utils
|
6
|
+
def self.int32_to_ip(int32)
|
7
|
+
IPAddr.new(int32, Socket::AF_INET).to_s
|
8
|
+
end
|
9
|
+
|
10
|
+
def self.ip_to_int32(ip)
|
11
|
+
IPAddr.new(ip).to_i
|
12
|
+
end
|
13
|
+
|
14
|
+
def self.hex_to_ascii(hex)
|
15
|
+
[hex].pack("H*")
|
16
|
+
end
|
17
|
+
|
18
|
+
def self.fdate(date)
|
19
|
+
date.strftime("%Y-%m-%d")
|
20
|
+
end
|
21
|
+
end
|
22
|
+
end
|
data/lib/by2/version.rb
ADDED
data/man/by2.1
ADDED
@@ -0,0 +1,105 @@
|
|
1
|
+
.\" generated with Ronn/v0.7.3
|
2
|
+
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
3
|
+
.
|
4
|
+
.TH "BY2" "1" "May 2014" "" ""
|
5
|
+
.
|
6
|
+
.SH "NAME"
|
7
|
+
\fBby2\fR \- Client for Querying a Barnyard2 DB
|
8
|
+
.
|
9
|
+
.SH "SYNOPSIS"
|
10
|
+
\fBby2 [\-CD] [\-i IP] [\-s SRC_IP] [\-d DST_IP] [\-l LIMIT] [\-t DATE] [\-m DUMP_STR]\fR
|
11
|
+
.
|
12
|
+
.SH "DESCRIPTION"
|
13
|
+
\fBby2\fR is a simple command\-line tool for querying a barnyard2 database for packets that match the provided options\. By default, only records that have been create in the last 2 weeks will be returned\. See the below options for overriding this behaviour\.
|
14
|
+
.
|
15
|
+
.P
|
16
|
+
Results are returned in the following format:
|
17
|
+
.
|
18
|
+
.IP "" 4
|
19
|
+
.
|
20
|
+
.nf
|
21
|
+
|
22
|
+
\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-
|
23
|
+
[Timestamp1] src_ip:src_port \-> dst_ip:dst_port
|
24
|
+
|
25
|
+
PAYLOAD
|
26
|
+
\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-
|
27
|
+
[Timestamp2] src_ip:src_port \-> dst_ip:dst_port
|
28
|
+
|
29
|
+
PAYLOAD
|
30
|
+
\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-
|
31
|
+
Record Count: <N>
|
32
|
+
.
|
33
|
+
.fi
|
34
|
+
.
|
35
|
+
.IP "" 0
|
36
|
+
.
|
37
|
+
.SH "OPTIONS"
|
38
|
+
.
|
39
|
+
.TP
|
40
|
+
\fB\-C\fR
|
41
|
+
Only print the number of records found\.
|
42
|
+
.
|
43
|
+
.TP
|
44
|
+
\fB\-D\fR
|
45
|
+
Print debugging information\.
|
46
|
+
.
|
47
|
+
.TP
|
48
|
+
\fB\-d DST_IP\fR
|
49
|
+
Find all records where the destination ip matches the provided ip\. You may optionally provide a port: DST_IP:DST_PORT\. This will find all records where the destination ip and destination port match the provided ip and port\.
|
50
|
+
.
|
51
|
+
.TP
|
52
|
+
\fB\-i IP\fR
|
53
|
+
Find all records where the source ip or the destination ip match the provided ip\. You may optionally provide a port: IP:PORT\. This will find all records where the source ip and source port or the destination ip and destination port match the provided ip and port\.
|
54
|
+
.
|
55
|
+
.TP
|
56
|
+
\fB\-l LIMIT\fR
|
57
|
+
Limits the number of records returned to be <= LIMIT\.
|
58
|
+
.
|
59
|
+
.TP
|
60
|
+
\fB\-m DUMP_STR\fR
|
61
|
+
Find all records that match the tokens in DUMP_STR\. DUMP_STR tokens are formatted like so "SRC_IP:SRC_PORT \-> DST_IP:DST_PORT"\.
|
62
|
+
.
|
63
|
+
.TP
|
64
|
+
\fB\-t DATE\fR
|
65
|
+
Find all records with a timestamp equal to DATE\. Expected format of DATE is yyyy\-mm\-dd\. You may pass in a range of dates by separating the start date from the end date with a ":" (START_DATE:END_DATE)\. You can also pass in START_DATE: with no end date to indicate that you want to find all records with a timestamp greater than or equal to START_DATE\. When matching on a date range, dates are inclusive\. If \-t option is not provided, a default range will be used: "2\.weeks\.ago:"
|
66
|
+
.
|
67
|
+
.TP
|
68
|
+
\fB\-s SRC_IP\fR
|
69
|
+
Find all records where the source ip matches the provided ip\. You may optionally provide a port: SRC_IP:SRC_PORT\. This will find all records where the source ip and source port match the provided ip and port\.
|
70
|
+
.
|
71
|
+
.SH "EXAMPLES"
|
72
|
+
Finds all records where source ip or destination ip are equal to "128\.1\.1\.1"
|
73
|
+
.
|
74
|
+
.P
|
75
|
+
$ by2 \-i 128\.1\.1\.1
|
76
|
+
.
|
77
|
+
.P
|
78
|
+
Finds all records where source ip and port or destination ip and port a equal to "128\.1\.1\.1:80"
|
79
|
+
.
|
80
|
+
.P
|
81
|
+
$ by2 \-i 128\.1\.1\.1:80
|
82
|
+
.
|
83
|
+
.P
|
84
|
+
Finds all records where timestamp is equal to 2014\-02\-01
|
85
|
+
.
|
86
|
+
.P
|
87
|
+
$ by2 \-d 2014\-02\-01
|
88
|
+
.
|
89
|
+
.P
|
90
|
+
Finds all records where source ip is equal to 128\.1\.1\.1 and the timestamp is greater than or equal to 2014\-02\-01
|
91
|
+
.
|
92
|
+
.P
|
93
|
+
$ by2 \-s 128\.1\.1\.1 \-d 2014\-02\-01:
|
94
|
+
.
|
95
|
+
.P
|
96
|
+
Finds all records where source ip is equal to 128\.1\.1\.1 and the timestamp is between (inclusive) 2014\-02\-01 and 2014\-02\-01
|
97
|
+
.
|
98
|
+
.P
|
99
|
+
$ by2 \-s 128\.1\.1\.1 \-d 2014\-02\-01:2014\-01\-01
|
100
|
+
.
|
101
|
+
.P
|
102
|
+
Finds all records with ips/ports matching the dump string:
|
103
|
+
.
|
104
|
+
.P
|
105
|
+
$ by2 \-m "128\.1\.1\.1:80 \-> 128\.0\.0\.1:443"
|
data/man/by2.1.ronn
ADDED
@@ -0,0 +1,98 @@
|
|
1
|
+
by2(1) -- Client for Querying a Barnyard2 DB
|
2
|
+
============================================
|
3
|
+
|
4
|
+
## SYNOPSIS
|
5
|
+
|
6
|
+
`by2 [-CD] [-i IP] [-s SRC_IP] [-d DST_IP] [-l LIMIT] [-t DATE] [-m DUMP_STR]`
|
7
|
+
|
8
|
+
## DESCRIPTION
|
9
|
+
|
10
|
+
**by2** is a simple command-line tool for querying a barnyard2 database for packets
|
11
|
+
that match the provided options. By default, only records that have been create in
|
12
|
+
the last 2 weeks will be returned. See the below options for overriding this behaviour.
|
13
|
+
|
14
|
+
Results are returned in the following format:
|
15
|
+
|
16
|
+
----------------------------------------------
|
17
|
+
[Timestamp1] src_ip:src_port -> dst_ip:dst_port
|
18
|
+
|
19
|
+
PAYLOAD
|
20
|
+
----------------------------------------------
|
21
|
+
[Timestamp2] src_ip:src_port -> dst_ip:dst_port
|
22
|
+
|
23
|
+
PAYLOAD
|
24
|
+
----------------------------------------------
|
25
|
+
Record Count: <N>
|
26
|
+
|
27
|
+
|
28
|
+
## OPTIONS
|
29
|
+
|
30
|
+
* `-C`:
|
31
|
+
Only print the number of records found.
|
32
|
+
|
33
|
+
* `-D`:
|
34
|
+
Print debugging information.
|
35
|
+
|
36
|
+
* `-d DST_IP`:
|
37
|
+
Find all records where the destination ip matches the provided ip. You may optionally
|
38
|
+
provide a port: DST_IP:DST_PORT. This will find all records where the destination ip
|
39
|
+
and destination port match the provided ip and port.
|
40
|
+
|
41
|
+
* `-i IP`:
|
42
|
+
Find all records where the source ip or the destination ip match the provided ip.
|
43
|
+
You may optionally provide a port: IP:PORT. This will find all records where the
|
44
|
+
source ip and source port or the destination ip and destination port match the
|
45
|
+
provided ip and port.
|
46
|
+
|
47
|
+
* `-l LIMIT`:
|
48
|
+
Limits the number of records returned to be <= LIMIT.
|
49
|
+
|
50
|
+
* `-m DUMP_STR`:
|
51
|
+
Find all records that match the tokens in DUMP_STR. DUMP_STR tokens are formatted
|
52
|
+
like so "SRC_IP:SRC_PORT -> DST_IP:DST_PORT".
|
53
|
+
|
54
|
+
* `-t DATE`:
|
55
|
+
Find all records with a timestamp equal to DATE. Expected format of DATE is
|
56
|
+
yyyy-mm-dd. You may pass in a range of dates by separating the start date
|
57
|
+
from the end date with a ":" (START_DATE:END_DATE). You can also pass in
|
58
|
+
START_DATE: with no end date to indicate that you want to find all records
|
59
|
+
with a timestamp greater than or equal to START_DATE. When matching on a date
|
60
|
+
range, dates are inclusive. If -t option is not provided, a default range
|
61
|
+
will be used: "2.weeks.ago:"
|
62
|
+
|
63
|
+
|
64
|
+
* `-s SRC_IP`:
|
65
|
+
Find all records where the source ip matches the provided ip. You may optionally
|
66
|
+
provide a port: SRC_IP:SRC_PORT. This will find all records where the source ip
|
67
|
+
and source port match the provided ip and port.
|
68
|
+
|
69
|
+
## EXAMPLES
|
70
|
+
|
71
|
+
Finds all records where source ip or destination ip are equal to "128.1.1.1"
|
72
|
+
|
73
|
+
$ by2 -i 128.1.1.1
|
74
|
+
|
75
|
+
Finds all records where source ip and port or destination ip and port a equal
|
76
|
+
to "128.1.1.1:80"
|
77
|
+
|
78
|
+
$ by2 -i 128.1.1.1:80
|
79
|
+
|
80
|
+
Finds all records where timestamp is equal to 2014-02-01
|
81
|
+
|
82
|
+
$ by2 -d 2014-02-01
|
83
|
+
|
84
|
+
Finds all records where source ip is equal to 128.1.1.1 and the timestamp is
|
85
|
+
greater than or equal to 2014-02-01
|
86
|
+
|
87
|
+
$ by2 -s 128.1.1.1 -d 2014-02-01:
|
88
|
+
|
89
|
+
Finds all records where source ip is equal to 128.1.1.1 and the timestamp is
|
90
|
+
between (inclusive) 2014-02-01 and 2014-02-01
|
91
|
+
|
92
|
+
$ by2 -s 128.1.1.1 -d 2014-02-01:2014-01-01
|
93
|
+
|
94
|
+
|
95
|
+
Finds all records with ips/ports matching the dump string:
|
96
|
+
|
97
|
+
$ by2 -m "128.1.1.1:80 -> 128.0.0.1:443"
|
98
|
+
|
data/man/by2.1.txt
ADDED
@@ -0,0 +1,107 @@
|
|
1
|
+
BY2(1) BY2(1)
|
2
|
+
|
3
|
+
|
4
|
+
|
5
|
+
NAME
|
6
|
+
by2 - Client for Querying a Barnyard2 DB
|
7
|
+
|
8
|
+
SYNOPSIS
|
9
|
+
by2 [-CD] [-i IP] [-s SRC_IP] [-d DST_IP] [-l LIMIT] [-t DATE] [-m
|
10
|
+
DUMP_STR]
|
11
|
+
|
12
|
+
DESCRIPTION
|
13
|
+
by2 is a simple command-line tool for querying a barnyard2 database for
|
14
|
+
packets that match the provided options. By default, only records that
|
15
|
+
have been create in the last 2 weeks will be returned. See the below
|
16
|
+
options for overriding this behaviour.
|
17
|
+
|
18
|
+
Results are returned in the following format:
|
19
|
+
|
20
|
+
|
21
|
+
|
22
|
+
----------------------------------------------
|
23
|
+
[Timestamp1] src_ip:src_port -> dst_ip:dst_port
|
24
|
+
|
25
|
+
PAYLOAD
|
26
|
+
----------------------------------------------
|
27
|
+
[Timestamp2] src_ip:src_port -> dst_ip:dst_port
|
28
|
+
|
29
|
+
PAYLOAD
|
30
|
+
----------------------------------------------
|
31
|
+
Record Count: <N>
|
32
|
+
|
33
|
+
|
34
|
+
|
35
|
+
OPTIONS
|
36
|
+
-C Only print the number of records found.
|
37
|
+
|
38
|
+
-D Print debugging information.
|
39
|
+
|
40
|
+
-d DST_IP
|
41
|
+
Find all records where the destination ip matches the provided
|
42
|
+
ip. You may optionally provide a port: DST_IP:DST_PORT. This
|
43
|
+
will find all records where the destination ip and destination
|
44
|
+
port match the provided ip and port.
|
45
|
+
|
46
|
+
-i IP Find all records where the source ip or the destination ip match
|
47
|
+
the provided ip. You may optionally provide a port: IP:PORT.
|
48
|
+
This will find all records where the source ip and source port
|
49
|
+
or the destination ip and destination port match the provided ip
|
50
|
+
and port.
|
51
|
+
|
52
|
+
-l LIMIT
|
53
|
+
Limits the number of records returned to be <= LIMIT.
|
54
|
+
|
55
|
+
-m DUMP_STR
|
56
|
+
Find all records that match the tokens in DUMP_STR. DUMP_STR
|
57
|
+
tokens are formatted like so "SRC_IP:SRC_PORT ->
|
58
|
+
DST_IP:DST_PORT".
|
59
|
+
|
60
|
+
-t DATE
|
61
|
+
Find all records with a timestamp equal to DATE. Expected format
|
62
|
+
of DATE is yyyy-mm-dd. You may pass in a range of dates by sepa-
|
63
|
+
rating the start date from the end date with a ":"
|
64
|
+
(START_DATE:END_DATE). You can also pass in START_DATE: with no
|
65
|
+
end date to indicate that you want to find all records with a
|
66
|
+
timestamp greater than or equal to START_DATE. When matching on
|
67
|
+
a date range, dates are inclusive. If -t option is not provided,
|
68
|
+
a default range will be used: "2.weeks.ago:"
|
69
|
+
|
70
|
+
-s SRC_IP
|
71
|
+
Find all records where the source ip matches the provided ip.
|
72
|
+
You may optionally provide a port: SRC_IP:SRC_PORT. This will
|
73
|
+
find all records where the source ip and source port match the
|
74
|
+
provided ip and port.
|
75
|
+
|
76
|
+
EXAMPLES
|
77
|
+
Finds all records where source ip or destination ip are equal to
|
78
|
+
"128.1.1.1"
|
79
|
+
|
80
|
+
$ by2 -i 128.1.1.1
|
81
|
+
|
82
|
+
Finds all records where source ip and port or destination ip and port a
|
83
|
+
equal to "128.1.1.1:80"
|
84
|
+
|
85
|
+
$ by2 -i 128.1.1.1:80
|
86
|
+
|
87
|
+
Finds all records where timestamp is equal to 2014-02-01
|
88
|
+
|
89
|
+
$ by2 -d 2014-02-01
|
90
|
+
|
91
|
+
Finds all records where source ip is equal to 128.1.1.1 and the time-
|
92
|
+
stamp is greater than or equal to 2014-02-01
|
93
|
+
|
94
|
+
$ by2 -s 128.1.1.1 -d 2014-02-01:
|
95
|
+
|
96
|
+
Finds all records where source ip is equal to 128.1.1.1 and the time-
|
97
|
+
stamp is between (inclusive) 2014-02-01 and 2014-02-01
|
98
|
+
|
99
|
+
$ by2 -s 128.1.1.1 -d 2014-02-01:2014-01-01
|
100
|
+
|
101
|
+
Finds all records with ips/ports matching the dump string:
|
102
|
+
|
103
|
+
$ by2 -m "128.1.1.1:80 -> 128.0.0.1:443"
|
104
|
+
|
105
|
+
|
106
|
+
|
107
|
+
May 2014 BY2(1)
|