by2 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/.gitignore +20 -0
- data/Gemfile +4 -0
- data/LICENSE.txt +22 -0
- data/README.md +50 -0
- data/Rakefile +98 -0
- data/bin/by2 +16 -0
- data/by2.gemspec +32 -0
- data/config/database.yml.example +11 -0
- data/config/setup.sql +9 -0
- data/db/migrate/20140205014806_init_db.rb +147 -0
- data/db/schema.rb +160 -0
- data/lib/by2.rb +69 -0
- data/lib/by2/client.rb +109 -0
- data/lib/by2/config_loader.rb +34 -0
- data/lib/by2/ext/active_record.rb +105 -0
- data/lib/by2/models.rb +10 -0
- data/lib/by2/models/event.rb +50 -0
- data/lib/by2/models/icmphdr.rb +10 -0
- data/lib/by2/models/iphdr.rb +38 -0
- data/lib/by2/models/payload.rb +16 -0
- data/lib/by2/models/tcphdr.rb +30 -0
- data/lib/by2/models/udphdr.rb +30 -0
- data/lib/by2/options.rb +77 -0
- data/lib/by2/utils.rb +22 -0
- data/lib/by2/version.rb +3 -0
- data/man/by2.1 +105 -0
- data/man/by2.1.ronn +98 -0
- data/man/by2.1.txt +107 -0
- data/spec/by2/client_spec.rb +157 -0
- data/spec/by2/models/event_spec.rb +14 -0
- data/spec/by2/options_spec.rb +107 -0
- data/spec/by2/utils_spec.rb +19 -0
- data/spec/fixtures/data.yml +19 -0
- data/spec/fixtures/event.yml +36 -0
- data/spec/fixtures/icmphdr.yml +7 -0
- data/spec/fixtures/iphdr.yml +108 -0
- data/spec/fixtures/tcphdr.yml +55 -0
- data/spec/fixtures/udphdr.yml +7 -0
- data/spec/spec_helper.rb +55 -0
- metadata +235 -0
@@ -0,0 +1,30 @@
|
|
1
|
+
module By2
|
2
|
+
module Models
|
3
|
+
class Tcphdr < ActiveRecord::Base
|
4
|
+
self.table_name = 'tcphdr'
|
5
|
+
self.primary_keys = :sid, :cid
|
6
|
+
|
7
|
+
belongs_to :event, :foreign_key => [:sid, :cid]
|
8
|
+
|
9
|
+
def self.src_or_dst_port(port)
|
10
|
+
where("tcphdr.tcp_sport = ? or tcphdr.tcp_dport = ?", port, port)
|
11
|
+
end
|
12
|
+
|
13
|
+
def self.src_port(port)
|
14
|
+
where("tcphdr.tcp_sport = ?", port)
|
15
|
+
end
|
16
|
+
|
17
|
+
def self.dst_port(port)
|
18
|
+
where("tcphdr.tcp_dport = ?", port)
|
19
|
+
end
|
20
|
+
|
21
|
+
def dport
|
22
|
+
tcp_dport
|
23
|
+
end
|
24
|
+
|
25
|
+
def sport
|
26
|
+
tcp_sport
|
27
|
+
end
|
28
|
+
end
|
29
|
+
end
|
30
|
+
end
|
@@ -0,0 +1,30 @@
|
|
1
|
+
module By2
|
2
|
+
module Models
|
3
|
+
class Udphdr < ActiveRecord::Base
|
4
|
+
self.table_name = 'udphdr'
|
5
|
+
self.primary_keys = :sid, :cid
|
6
|
+
|
7
|
+
belongs_to :event, :foreign_key => [:sid, :cid]
|
8
|
+
|
9
|
+
def self.src_or_dst_port(port)
|
10
|
+
where("udphdr.udp_sport = ? or udphdr.udp_dport = ?", port, port)
|
11
|
+
end
|
12
|
+
|
13
|
+
def self.src_port(port)
|
14
|
+
where("udphdr.udp_sport = ?", port)
|
15
|
+
end
|
16
|
+
|
17
|
+
def self.dst_port(port)
|
18
|
+
where("udphdr.udp_dport = ?", port)
|
19
|
+
end
|
20
|
+
|
21
|
+
def dport
|
22
|
+
udp_dport
|
23
|
+
end
|
24
|
+
|
25
|
+
def sport
|
26
|
+
udp_sport
|
27
|
+
end
|
28
|
+
end
|
29
|
+
end
|
30
|
+
end
|
data/lib/by2/options.rb
ADDED
@@ -0,0 +1,77 @@
|
|
1
|
+
module By2
|
2
|
+
class Options
|
3
|
+
OptionsError = Class.new(RuntimeError)
|
4
|
+
|
5
|
+
def self.parse(argv)
|
6
|
+
options = { start_date: 2.weeks.ago }
|
7
|
+
req_options = {}
|
8
|
+
|
9
|
+
opts = OptionParser.new do |x|
|
10
|
+
x.banner = "Usage: by2 [options]"
|
11
|
+
|
12
|
+
x.separator ""
|
13
|
+
x.separator "Required options (at least one is required):"
|
14
|
+
|
15
|
+
x.on("-i IP", String, "source or destination ip w/optional port") do |ip|
|
16
|
+
req_options[:ip], req_options[:port] = ip.split(":")
|
17
|
+
end
|
18
|
+
|
19
|
+
x.on("-s SRC_IP", String, "source ip w/optional port") do |ip|
|
20
|
+
req_options[:src_ip], req_options[:src_port] = ip.split(":")
|
21
|
+
end
|
22
|
+
|
23
|
+
x.on("-d DST_IP", String, "destination ip w/optional port") do |ip|
|
24
|
+
req_options[:dst_ip], req_options[:dst_port] = ip.split(":")
|
25
|
+
end
|
26
|
+
|
27
|
+
x.on("-m DUMP_STR", String, "dump string: \"src_ip:src_port -> dst_ip:dst_port\"") do |ips|
|
28
|
+
src_ip, dst_ip = ips.split("->")
|
29
|
+
req_options[:src_ip], req_options[:src_port] = src_ip.strip.split(":")
|
30
|
+
req_options[:dst_ip], req_options[:dst_port] = dst_ip.strip.split(":")
|
31
|
+
end
|
32
|
+
|
33
|
+
x.on("-t DATE", String, "date (yyyy-mm-dd)") do |date|
|
34
|
+
if date.include?(":")
|
35
|
+
req_options[:start_date], req_options[:end_date] = date.split(":")
|
36
|
+
else
|
37
|
+
req_options[:date] = date
|
38
|
+
options.delete(:start_date)
|
39
|
+
end
|
40
|
+
end
|
41
|
+
|
42
|
+
|
43
|
+
x.separator ""
|
44
|
+
x.separator "Additional options:"
|
45
|
+
|
46
|
+
x.on("-l LIMIT", Integer, "limit number of returned records") do |l|
|
47
|
+
options[:limit] = l
|
48
|
+
end
|
49
|
+
|
50
|
+
x.on("-D", TrueClass, "debug flag") do
|
51
|
+
options[:debug] = true
|
52
|
+
end
|
53
|
+
|
54
|
+
x.on("-C", TrueClass, "only print number of records found") do
|
55
|
+
options[:count] = true
|
56
|
+
end
|
57
|
+
|
58
|
+
x.on("-h", "Show this message") do
|
59
|
+
$stdout.puts(opts); exit
|
60
|
+
end
|
61
|
+
|
62
|
+
x.on("-H", "Show man page") do
|
63
|
+
$stdout.puts(File.read("#{::By2.root}/man/by2.1.txt")); exit
|
64
|
+
end
|
65
|
+
end
|
66
|
+
|
67
|
+
opts.parse!(argv)
|
68
|
+
|
69
|
+
raise OptionsError if req_options.empty?
|
70
|
+
|
71
|
+
options.merge(req_options)
|
72
|
+
rescue OptionParser::ParseError, OptionsError => err
|
73
|
+
raise OptionsError.new(opts) if err.is_a?(OptionsError)
|
74
|
+
raise OptionsError.new(err)
|
75
|
+
end
|
76
|
+
end
|
77
|
+
end
|
data/lib/by2/utils.rb
ADDED
@@ -0,0 +1,22 @@
|
|
1
|
+
require 'ipaddr'
|
2
|
+
|
3
|
+
|
4
|
+
module By2
|
5
|
+
module Utils
|
6
|
+
def self.int32_to_ip(int32)
|
7
|
+
IPAddr.new(int32, Socket::AF_INET).to_s
|
8
|
+
end
|
9
|
+
|
10
|
+
def self.ip_to_int32(ip)
|
11
|
+
IPAddr.new(ip).to_i
|
12
|
+
end
|
13
|
+
|
14
|
+
def self.hex_to_ascii(hex)
|
15
|
+
[hex].pack("H*")
|
16
|
+
end
|
17
|
+
|
18
|
+
def self.fdate(date)
|
19
|
+
date.strftime("%Y-%m-%d")
|
20
|
+
end
|
21
|
+
end
|
22
|
+
end
|
data/lib/by2/version.rb
ADDED
data/man/by2.1
ADDED
@@ -0,0 +1,105 @@
|
|
1
|
+
.\" generated with Ronn/v0.7.3
|
2
|
+
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
3
|
+
.
|
4
|
+
.TH "BY2" "1" "May 2014" "" ""
|
5
|
+
.
|
6
|
+
.SH "NAME"
|
7
|
+
\fBby2\fR \- Client for Querying a Barnyard2 DB
|
8
|
+
.
|
9
|
+
.SH "SYNOPSIS"
|
10
|
+
\fBby2 [\-CD] [\-i IP] [\-s SRC_IP] [\-d DST_IP] [\-l LIMIT] [\-t DATE] [\-m DUMP_STR]\fR
|
11
|
+
.
|
12
|
+
.SH "DESCRIPTION"
|
13
|
+
\fBby2\fR is a simple command\-line tool for querying a barnyard2 database for packets that match the provided options\. By default, only records that have been create in the last 2 weeks will be returned\. See the below options for overriding this behaviour\.
|
14
|
+
.
|
15
|
+
.P
|
16
|
+
Results are returned in the following format:
|
17
|
+
.
|
18
|
+
.IP "" 4
|
19
|
+
.
|
20
|
+
.nf
|
21
|
+
|
22
|
+
\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-
|
23
|
+
[Timestamp1] src_ip:src_port \-> dst_ip:dst_port
|
24
|
+
|
25
|
+
PAYLOAD
|
26
|
+
\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-
|
27
|
+
[Timestamp2] src_ip:src_port \-> dst_ip:dst_port
|
28
|
+
|
29
|
+
PAYLOAD
|
30
|
+
\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-
|
31
|
+
Record Count: <N>
|
32
|
+
.
|
33
|
+
.fi
|
34
|
+
.
|
35
|
+
.IP "" 0
|
36
|
+
.
|
37
|
+
.SH "OPTIONS"
|
38
|
+
.
|
39
|
+
.TP
|
40
|
+
\fB\-C\fR
|
41
|
+
Only print the number of records found\.
|
42
|
+
.
|
43
|
+
.TP
|
44
|
+
\fB\-D\fR
|
45
|
+
Print debugging information\.
|
46
|
+
.
|
47
|
+
.TP
|
48
|
+
\fB\-d DST_IP\fR
|
49
|
+
Find all records where the destination ip matches the provided ip\. You may optionally provide a port: DST_IP:DST_PORT\. This will find all records where the destination ip and destination port match the provided ip and port\.
|
50
|
+
.
|
51
|
+
.TP
|
52
|
+
\fB\-i IP\fR
|
53
|
+
Find all records where the source ip or the destination ip match the provided ip\. You may optionally provide a port: IP:PORT\. This will find all records where the source ip and source port or the destination ip and destination port match the provided ip and port\.
|
54
|
+
.
|
55
|
+
.TP
|
56
|
+
\fB\-l LIMIT\fR
|
57
|
+
Limits the number of records returned to be <= LIMIT\.
|
58
|
+
.
|
59
|
+
.TP
|
60
|
+
\fB\-m DUMP_STR\fR
|
61
|
+
Find all records that match the tokens in DUMP_STR\. DUMP_STR tokens are formatted like so "SRC_IP:SRC_PORT \-> DST_IP:DST_PORT"\.
|
62
|
+
.
|
63
|
+
.TP
|
64
|
+
\fB\-t DATE\fR
|
65
|
+
Find all records with a timestamp equal to DATE\. Expected format of DATE is yyyy\-mm\-dd\. You may pass in a range of dates by separating the start date from the end date with a ":" (START_DATE:END_DATE)\. You can also pass in START_DATE: with no end date to indicate that you want to find all records with a timestamp greater than or equal to START_DATE\. When matching on a date range, dates are inclusive\. If \-t option is not provided, a default range will be used: "2\.weeks\.ago:"
|
66
|
+
.
|
67
|
+
.TP
|
68
|
+
\fB\-s SRC_IP\fR
|
69
|
+
Find all records where the source ip matches the provided ip\. You may optionally provide a port: SRC_IP:SRC_PORT\. This will find all records where the source ip and source port match the provided ip and port\.
|
70
|
+
.
|
71
|
+
.SH "EXAMPLES"
|
72
|
+
Finds all records where source ip or destination ip are equal to "128\.1\.1\.1"
|
73
|
+
.
|
74
|
+
.P
|
75
|
+
$ by2 \-i 128\.1\.1\.1
|
76
|
+
.
|
77
|
+
.P
|
78
|
+
Finds all records where source ip and port or destination ip and port a equal to "128\.1\.1\.1:80"
|
79
|
+
.
|
80
|
+
.P
|
81
|
+
$ by2 \-i 128\.1\.1\.1:80
|
82
|
+
.
|
83
|
+
.P
|
84
|
+
Finds all records where timestamp is equal to 2014\-02\-01
|
85
|
+
.
|
86
|
+
.P
|
87
|
+
$ by2 \-d 2014\-02\-01
|
88
|
+
.
|
89
|
+
.P
|
90
|
+
Finds all records where source ip is equal to 128\.1\.1\.1 and the timestamp is greater than or equal to 2014\-02\-01
|
91
|
+
.
|
92
|
+
.P
|
93
|
+
$ by2 \-s 128\.1\.1\.1 \-d 2014\-02\-01:
|
94
|
+
.
|
95
|
+
.P
|
96
|
+
Finds all records where source ip is equal to 128\.1\.1\.1 and the timestamp is between (inclusive) 2014\-02\-01 and 2014\-02\-01
|
97
|
+
.
|
98
|
+
.P
|
99
|
+
$ by2 \-s 128\.1\.1\.1 \-d 2014\-02\-01:2014\-01\-01
|
100
|
+
.
|
101
|
+
.P
|
102
|
+
Finds all records with ips/ports matching the dump string:
|
103
|
+
.
|
104
|
+
.P
|
105
|
+
$ by2 \-m "128\.1\.1\.1:80 \-> 128\.0\.0\.1:443"
|
data/man/by2.1.ronn
ADDED
@@ -0,0 +1,98 @@
|
|
1
|
+
by2(1) -- Client for Querying a Barnyard2 DB
|
2
|
+
============================================
|
3
|
+
|
4
|
+
## SYNOPSIS
|
5
|
+
|
6
|
+
`by2 [-CD] [-i IP] [-s SRC_IP] [-d DST_IP] [-l LIMIT] [-t DATE] [-m DUMP_STR]`
|
7
|
+
|
8
|
+
## DESCRIPTION
|
9
|
+
|
10
|
+
**by2** is a simple command-line tool for querying a barnyard2 database for packets
|
11
|
+
that match the provided options. By default, only records that have been create in
|
12
|
+
the last 2 weeks will be returned. See the below options for overriding this behaviour.
|
13
|
+
|
14
|
+
Results are returned in the following format:
|
15
|
+
|
16
|
+
----------------------------------------------
|
17
|
+
[Timestamp1] src_ip:src_port -> dst_ip:dst_port
|
18
|
+
|
19
|
+
PAYLOAD
|
20
|
+
----------------------------------------------
|
21
|
+
[Timestamp2] src_ip:src_port -> dst_ip:dst_port
|
22
|
+
|
23
|
+
PAYLOAD
|
24
|
+
----------------------------------------------
|
25
|
+
Record Count: <N>
|
26
|
+
|
27
|
+
|
28
|
+
## OPTIONS
|
29
|
+
|
30
|
+
* `-C`:
|
31
|
+
Only print the number of records found.
|
32
|
+
|
33
|
+
* `-D`:
|
34
|
+
Print debugging information.
|
35
|
+
|
36
|
+
* `-d DST_IP`:
|
37
|
+
Find all records where the destination ip matches the provided ip. You may optionally
|
38
|
+
provide a port: DST_IP:DST_PORT. This will find all records where the destination ip
|
39
|
+
and destination port match the provided ip and port.
|
40
|
+
|
41
|
+
* `-i IP`:
|
42
|
+
Find all records where the source ip or the destination ip match the provided ip.
|
43
|
+
You may optionally provide a port: IP:PORT. This will find all records where the
|
44
|
+
source ip and source port or the destination ip and destination port match the
|
45
|
+
provided ip and port.
|
46
|
+
|
47
|
+
* `-l LIMIT`:
|
48
|
+
Limits the number of records returned to be <= LIMIT.
|
49
|
+
|
50
|
+
* `-m DUMP_STR`:
|
51
|
+
Find all records that match the tokens in DUMP_STR. DUMP_STR tokens are formatted
|
52
|
+
like so "SRC_IP:SRC_PORT -> DST_IP:DST_PORT".
|
53
|
+
|
54
|
+
* `-t DATE`:
|
55
|
+
Find all records with a timestamp equal to DATE. Expected format of DATE is
|
56
|
+
yyyy-mm-dd. You may pass in a range of dates by separating the start date
|
57
|
+
from the end date with a ":" (START_DATE:END_DATE). You can also pass in
|
58
|
+
START_DATE: with no end date to indicate that you want to find all records
|
59
|
+
with a timestamp greater than or equal to START_DATE. When matching on a date
|
60
|
+
range, dates are inclusive. If -t option is not provided, a default range
|
61
|
+
will be used: "2.weeks.ago:"
|
62
|
+
|
63
|
+
|
64
|
+
* `-s SRC_IP`:
|
65
|
+
Find all records where the source ip matches the provided ip. You may optionally
|
66
|
+
provide a port: SRC_IP:SRC_PORT. This will find all records where the source ip
|
67
|
+
and source port match the provided ip and port.
|
68
|
+
|
69
|
+
## EXAMPLES
|
70
|
+
|
71
|
+
Finds all records where source ip or destination ip are equal to "128.1.1.1"
|
72
|
+
|
73
|
+
$ by2 -i 128.1.1.1
|
74
|
+
|
75
|
+
Finds all records where source ip and port or destination ip and port a equal
|
76
|
+
to "128.1.1.1:80"
|
77
|
+
|
78
|
+
$ by2 -i 128.1.1.1:80
|
79
|
+
|
80
|
+
Finds all records where timestamp is equal to 2014-02-01
|
81
|
+
|
82
|
+
$ by2 -d 2014-02-01
|
83
|
+
|
84
|
+
Finds all records where source ip is equal to 128.1.1.1 and the timestamp is
|
85
|
+
greater than or equal to 2014-02-01
|
86
|
+
|
87
|
+
$ by2 -s 128.1.1.1 -d 2014-02-01:
|
88
|
+
|
89
|
+
Finds all records where source ip is equal to 128.1.1.1 and the timestamp is
|
90
|
+
between (inclusive) 2014-02-01 and 2014-02-01
|
91
|
+
|
92
|
+
$ by2 -s 128.1.1.1 -d 2014-02-01:2014-01-01
|
93
|
+
|
94
|
+
|
95
|
+
Finds all records with ips/ports matching the dump string:
|
96
|
+
|
97
|
+
$ by2 -m "128.1.1.1:80 -> 128.0.0.1:443"
|
98
|
+
|
data/man/by2.1.txt
ADDED
@@ -0,0 +1,107 @@
|
|
1
|
+
BY2(1) BY2(1)
|
2
|
+
|
3
|
+
|
4
|
+
|
5
|
+
NAME
|
6
|
+
by2 - Client for Querying a Barnyard2 DB
|
7
|
+
|
8
|
+
SYNOPSIS
|
9
|
+
by2 [-CD] [-i IP] [-s SRC_IP] [-d DST_IP] [-l LIMIT] [-t DATE] [-m
|
10
|
+
DUMP_STR]
|
11
|
+
|
12
|
+
DESCRIPTION
|
13
|
+
by2 is a simple command-line tool for querying a barnyard2 database for
|
14
|
+
packets that match the provided options. By default, only records that
|
15
|
+
have been create in the last 2 weeks will be returned. See the below
|
16
|
+
options for overriding this behaviour.
|
17
|
+
|
18
|
+
Results are returned in the following format:
|
19
|
+
|
20
|
+
|
21
|
+
|
22
|
+
----------------------------------------------
|
23
|
+
[Timestamp1] src_ip:src_port -> dst_ip:dst_port
|
24
|
+
|
25
|
+
PAYLOAD
|
26
|
+
----------------------------------------------
|
27
|
+
[Timestamp2] src_ip:src_port -> dst_ip:dst_port
|
28
|
+
|
29
|
+
PAYLOAD
|
30
|
+
----------------------------------------------
|
31
|
+
Record Count: <N>
|
32
|
+
|
33
|
+
|
34
|
+
|
35
|
+
OPTIONS
|
36
|
+
-C Only print the number of records found.
|
37
|
+
|
38
|
+
-D Print debugging information.
|
39
|
+
|
40
|
+
-d DST_IP
|
41
|
+
Find all records where the destination ip matches the provided
|
42
|
+
ip. You may optionally provide a port: DST_IP:DST_PORT. This
|
43
|
+
will find all records where the destination ip and destination
|
44
|
+
port match the provided ip and port.
|
45
|
+
|
46
|
+
-i IP Find all records where the source ip or the destination ip match
|
47
|
+
the provided ip. You may optionally provide a port: IP:PORT.
|
48
|
+
This will find all records where the source ip and source port
|
49
|
+
or the destination ip and destination port match the provided ip
|
50
|
+
and port.
|
51
|
+
|
52
|
+
-l LIMIT
|
53
|
+
Limits the number of records returned to be <= LIMIT.
|
54
|
+
|
55
|
+
-m DUMP_STR
|
56
|
+
Find all records that match the tokens in DUMP_STR. DUMP_STR
|
57
|
+
tokens are formatted like so "SRC_IP:SRC_PORT ->
|
58
|
+
DST_IP:DST_PORT".
|
59
|
+
|
60
|
+
-t DATE
|
61
|
+
Find all records with a timestamp equal to DATE. Expected format
|
62
|
+
of DATE is yyyy-mm-dd. You may pass in a range of dates by sepa-
|
63
|
+
rating the start date from the end date with a ":"
|
64
|
+
(START_DATE:END_DATE). You can also pass in START_DATE: with no
|
65
|
+
end date to indicate that you want to find all records with a
|
66
|
+
timestamp greater than or equal to START_DATE. When matching on
|
67
|
+
a date range, dates are inclusive. If -t option is not provided,
|
68
|
+
a default range will be used: "2.weeks.ago:"
|
69
|
+
|
70
|
+
-s SRC_IP
|
71
|
+
Find all records where the source ip matches the provided ip.
|
72
|
+
You may optionally provide a port: SRC_IP:SRC_PORT. This will
|
73
|
+
find all records where the source ip and source port match the
|
74
|
+
provided ip and port.
|
75
|
+
|
76
|
+
EXAMPLES
|
77
|
+
Finds all records where source ip or destination ip are equal to
|
78
|
+
"128.1.1.1"
|
79
|
+
|
80
|
+
$ by2 -i 128.1.1.1
|
81
|
+
|
82
|
+
Finds all records where source ip and port or destination ip and port a
|
83
|
+
equal to "128.1.1.1:80"
|
84
|
+
|
85
|
+
$ by2 -i 128.1.1.1:80
|
86
|
+
|
87
|
+
Finds all records where timestamp is equal to 2014-02-01
|
88
|
+
|
89
|
+
$ by2 -d 2014-02-01
|
90
|
+
|
91
|
+
Finds all records where source ip is equal to 128.1.1.1 and the time-
|
92
|
+
stamp is greater than or equal to 2014-02-01
|
93
|
+
|
94
|
+
$ by2 -s 128.1.1.1 -d 2014-02-01:
|
95
|
+
|
96
|
+
Finds all records where source ip is equal to 128.1.1.1 and the time-
|
97
|
+
stamp is between (inclusive) 2014-02-01 and 2014-02-01
|
98
|
+
|
99
|
+
$ by2 -s 128.1.1.1 -d 2014-02-01:2014-01-01
|
100
|
+
|
101
|
+
Finds all records with ips/ports matching the dump string:
|
102
|
+
|
103
|
+
$ by2 -m "128.1.1.1:80 -> 128.0.0.1:443"
|
104
|
+
|
105
|
+
|
106
|
+
|
107
|
+
May 2014 BY2(1)
|