8/10/2019 Bro Cheat Sheets
1/6
og
dns.log
=GCritica
St ack
ww w
.
Crit icaiStack.co
sage o
popular w
b app
DNS query/response
detai ls
ts
ts_delta
app
uniq_hosts
hits
bytes
time
interval
string
count
count
count
Description
Measurement timestamp
Time difference from previous measurement
Name of application (YouTube, Netflix, etc.)
Number
of
unique hosts that used app
Number
of
visits
to
app
Total bytes transferred to/from app
capture_loss.log
Estimate
of packet loss
Dmllllllm ll
Description
ts
time Measurement
timestamp
ts_delta interval
Time difference
from
previous measurement
peer
string
Name
of
the Bro instance reporting loss
---
Description
ts
time Timestamp of the DNS request
uid string Unique id of
the
connection
id recor ID record
with
orig/resp host/port. See
d
proto
proto
Protocol
of
DNS
transaction-
TCP
or
UDP
trans_id count 16 bit identifier assigned by DNS client; responses match
query string Domain name subject of the query
qclass coun t Value specifying
the
query class
qclass_name string Descriptive name of the query class (e.g. (_INTERNET)
qtype count Value specifying the query type
qtype_name
string Name of
the
query type (e.g. A, AAAA,
PTR)
coun t Response code value in the
DNS
response
gaps
count
acks count
ACKs
seen without seeing data being
ACKed
Total number of
TCP
ACKs
rcode
rcode_name
QR
TC
RD
R
z
string Descriptive name ofthe response code (e.g.
NOERROR,
NXDOMAIN
bool Was this a query or a response? T =response, F
=query
percent_
oss string
gaps/acks, as a percentage. Estimate of loss.
cp.og
D C lease ac
ivi y
---
Description
ts
uid
id
time
Timestamp
of
request
answers
string Connection unique id
TTLs
rejected
ecord ID record
with
orig/resp host/port. See
mac string Client's hardwa re address
assigned_ip addr Client's actual assigned
IP
address
lease_time interval IP address lease time
trans_id
count Identifier assigned by the client; responses match
ts
time
uid
string
id.orig_h addr
id.orig_p
port
id.resp_h addr
id.resp_p
port
proto transport
_proto
service string
duration interval
orig_bytes count
resp_bytes
count
conn_state string
local_orig boo
missed_bytes count
history
string
orig_pkts
count
orig_ip_bytes
count
resp_pkts
count
resp_ip_bytes
count
tunnel_parents set
orig_cc
string
resp_cc string
Description - - ' :
Timestamp
Unique ID
of
Connection
Originating endpoint's IP address (AKA ORIG)
Originating endpoint's TCP/UDP
port
(or
ICMP
code)
Responding endpoint's IP address AKA RESP)
Responding endpoint 's TCP/UDP
port
(or ICMP code)
Transport layer protocol of connection
Dynamically detected application protocol,
if
any
Time
of
last packet seen
-t ime of
first packet seen
Originator payload bytes; from sequence numbers
if TCP
Responder payload bytes; from sequence numbers if TCP
Connection state (see conn.log:conn_state table)
If conn originated locally T;
if
remotely F.
If Site::local_nets empty, always unset.
Number
of
missing bytes in content gaps
Connection state history (see conn.log:h1story table)
Number of ORIG packets
Number of ORIG IP bytes (via IP total_length header field)
Number of RESP packets
Number
of
RESP
IP
bytes (via
IP
total_length header field)
If tunneled, connection UID of encapsulating pa rent s)
ORIG GeoiP Country Code
RESP GeoiP Country Code
bool Authoritat ive Answer. T = server is authoritative for query
bool Truncat ion. T = message was trunc ated
bool Recursion Desired. T = request recursive lookup
of
query
bool Recursion Available. T
=server
supports recursive queries
coun t Reserved field, should be zero
in
all queries responses
vector List of resource descriptions in answer to the query
vector Caching intervals of the answers
bool Whether the DNS query was rejected by the server
conn. og: conn_state
Connection attempt seen, no reply
Sl
Connection established, not terminated (0 byte counts)
SF
REJ
5
Normal establish & termination (>0 byte counts)
Connection
attempt
rejected
Established,
ORIG
attempts close, no reply
from
RESP .
53 Established, RESP attempts close, no reply from
ORIG.
RSTO Established, ORIG aborted
RST)
RSTR
Established, RESP aborted RST)
RSTOS
ORIG sent SYN then
RST;
no
RESP
SYN-ACK
0
RSTRH
RESP sent SYN-ACK then
RST;
no
ORIG SYN
SH
ORIG sent SYN then
FIN;
no RESP SYN-ACK ("half-open")
SHR
OTH
RESP sent SYN-ACK then FIN; no
ORIG
SYN
No SYN, not closed . Midstream traffic. Partial
connection.
conn.
og:
history
Orig
UPPERCASE, esp lowercase,
uniq-e
lhi Meaning
S a SYN without the
ACK
bit set
H a SYN-ACK ("handshake")
A a pure ACK
D packet
with
payload ( data )
F packet
with FIN
bit set
R
c
packet with RST bit set
packet with a bad checksum
Inconsistent packet (Both SYN
& RST)
1
2014 Critical Stack
LLC.
All rights reserved . Version : 2
8/10/2019 Bro Cheat Sheets
2/6
dnp3.1og
Distributed Network
Protocol industrial
control)
Description
ts
time
Timestamp
uid
interval Connection unique id
id string
ID
record with orig/resp host/port. See
fc_request
string
fc_reply string
The name of the request function message
The name
of
the reply function message
iin
count Response's internal indication number
fi es.
og
ts
time
fuid
string
tx_hosts
set
rx_hosts
set
conn_uids
set
source string
depth
count
analyzers
set
mime_type
string
filename string
duration
interval
local_orig boo
is_orig
boo
seen_bytes count
total_bytes count
missing_bytes
count
overflow_byte count
timedout boo
parent_fuid
string
mdS/shal/sha
string
56
extracted
string
f p.log
FTP
request/r
--11'. 11
ts
time
uid
string
id
record
user
string
password string
command string
arg
string
mime_type
string
file_size
count
reply_code
count
reply_msg
string
data_channel
record
fuid
string
Description
Timestamp when file was first seen
identifier for a single file
if
transferred via network, host(s) that sourced the data
if transferred via network, host(s) that received the data
Connection UID(s) over which the file was transferred
An identification of the source of the file data
Depth
of
file related
to
source; eg: SMTP MIME
attachment depth; HTIP depth of the request
Set
of
analysis types done during file analysis
Libmagic sniffed file t ype
If available, filename from source; frequently the
Content-Disposition headers
in
network protocols
The duration the file was analyzed for
If transferred via network, did data originate locally?
If transferred via network, was file sent by the originator?
Number
of
bytes provided to file analysis engine
Total number of bytes that should comprise the file
Number of bytes in the file stream missed; eg: dropped
packets
Number of not ali-in-sequence bytes in the file stream
delivered to file analyzers due to reassembly buffer
overflow
If the file analysis time out at least once per file
ID
associated w ith a container file from which this one
was extracted as a part
of
the analysis
MDS/SHA1/SHA256hash
of
file, if enabled
Local
filename
of
extracted files,
if
enabled
il
Description
Command timestamp
Connection unique id
ID record with orig/resp host/port. See
Username for current FTP
session
Password for current
FTP
session
Command issued by the client
Command argument if present
Libmagic sniffed file type if there's a file transfer
Size
of
transferred file
Reply code from server in response to the command
Reply
message from server
in
response to the command
Information about the data channel (orig, resp, is passive)
File
unique
ID
Field
ts
uid
id
trans_depth
method
host
uri
referrer
user_agent
request_
body_len
response_
body_len
status_code
status_msg
info_code
info_msg
filename
tags
username
password
proxied
orig_fuids
c r i t i c a l
S tack
www.CriticaiStack.com
Description
time Timestamp
of
request
string Connection unique
id
record ID record with orig/resp host/port.
See
count Pipelined depth into the connection
string HTIP Request verb:
GET
POST
HEAD
etc.
string Value
of
the
HOST
header
string URI used in the request
string
string
count
count
count
string
count
string
string
set
string
string
set
vector
Value of the referer header
Value of the User-Agent header
Actual uncompressed content
size
of the data
transferred from the client
Actual uncompressed c ontent
size of
the data
transferred from the server
Status code returned by the server
Status message returned by the server
Last seen
lxx info reply code by server
Last seen
lxx info reply message by server
Via
the Content-Disposition server header
Indicators of various attributes discovered
If basic-auth is performed for the request
If basic-auth is performed for the request
Headers that might indicate a proxied request
An
ordered vector
of
file unique
IDs
from orig
orig_mime_types vector
An
ordered vector
of
mime types from orig
resp_fuids vector An ordered vector
of
file unique IDs from resp
resp_mime_types vector An ordered vector of mime types from resp
ts
uid
id
fuid
file_mime_type
file_desc
seen indicator
time
string
record
string
string
string
string
Timestamp of hit
Connection unique id
ID
record with orig/resp host/port.
See
The
UID
for a file associated with this hit, if any
A mime type if the hit is related to a file
Additional context for file, if available
The intelligence indica tor
seen indicator_type string The type of data the indicator represents
seen where
sources
string Where the data was discovered
set
Sources which supplied data for this match
ire.
og
C
communcation
tails
escription
ts time Timestamp
uid string Unique id
id record
ID record with orig/resp host/port. See
nick
string Nickname given for this connection
user
string Username given for this connection
command string Command given by the client
value string
Value for the command given by the client
add
string
Any additional data for the command
dcc_file_name string DCC filename requested
dcc_file_size
count Size
of
the DCC transfer as indicated by the sender
dcc_mime_type string
Sniffed mime type of the file
fuid
string
File unique ID
2
2014 Critical Stack LLC. All rights reserved.
Version: 2.
8/10/2019 Bro Cheat Sheets
3/6
known_certs log
Observed local Certs;
logged
xDay
escription
ts
time Measurement timestamp
host
addr Address that offered the certificate
port_num
port
If
server,
port that
server listening on
subject
string Certificate subject
issuer_subject string Certificate issuer subject
serial
string Serial number
for
the certificate
kno
n services lo
Observed local ervice
;
logged xDay
ts
host
port_num
port_proto
service
ts
uid
id
func
exception
ts
uid
id
fuid
Description
time
Timestamp
addr
Host address on which the service
is
running
port
Port number on which
the
service
is
running
transport
Transport-layer protocol service uses
_proto
set
Set of
protocol(s) that match the service s
connection payloads
time
Timestamp of request
string
Connection unique
id
record
ID record with orig/resp host/port. See
n
string
Function message that was sent
string
Exception if there was a failure
Description
time
string
Timestamp
Connection unique id
record
ID
record with orig/resp host/port.
See
string
file_mime_type string
File
unique identifier
Libmagic sniffed file type
file_desc
proto
note
msg
sub
src
dst
p
n
peer_descr
actions
suppress_for
dropped
string
transport
_proto
string
string
string
addr
addr
port
count
string
set
interval
boo
Additional context for file,
if
available
Transport protocol
The
type
of
the notice
Human readable message for the notice
Sub-message
for
the notice
Source address
Destination address
Associated port,
if
any
Associated count or status code
Description for peer that raised this notice
Actions
applied to this notice
Length
of
time dupes should
be
suppressed
If the src IP
was
blocked
cr i t i ca l
St ack
known ho
s og
www CriticaiStack com
Observed local
act1ve IPs; logged xDay
Description
ts
host
time Timestamp first
seen
IP
Address
of
hostddr
radius
log
Radius
authentication details
Fie ld
ts
uid
id
username
mac
remote_ip
connect_info
result
logged
Description
time Timestamp of the detection
string Unique
ID
for the connection
conn_id
ID
record with orig/resp host port. See
string
The
username,
if
present
string
MAC
address, if present
addr Remtoe IP address,
if
present
string Connect info, if present
string Successful or failed authentication
bool Whether this has already been logged ignored
reporter log
Bro internal errors
and
warnings
Description
ts time Message timestamp
level string Message severity (Info, warning, error, etc.)
message string Message tex t
location string
The
script location where tev ent occurred,
if
available
smtp log
S P
transactions
Field
ts
uid
id
trans_depth
helo
mailfrom
rcptto
date
from
to
reply_to
msg_id
in_reply_to
subject
x_originating_ip
first_received
second_received
last_reply
path
user_agent
tis
fuids
is_webmail
Description
time Timestamp when the message was first
seen
string Connection unique id
record ID record with orig/resp host/port. See
count Depth
of
message transaction if multiple messages transferred
string Contents of the
HELO
header
string Contents
of
the MAIL
FROM
header
set
Contents of the RCPT TO header
string Contents
of
the
DATE
header
string Contents of the
FROM
header
set Contents
of
the
TO
header
string Contents of the ReplyTo header
string Contents
of
the Msgl D header
string Contents of the In-Reply-To header
string Contents
of
the Subject header
addr Contents of the X-Originating-IP header
string Contents
of
the first Received header
string Contents
of
the second Received header
string Last message that the server sent to the client
vector Message transmission path, extracted from the headers
string Value of the User-Agent header from the clien t
bool Connection
has
switched to using
TLS
vector File unique IDs seen attached to this message
bool Indicates
if
the message
was
sent through a webmail interface
3
2014 Critical Stack LLC All rights reserved. Version :
2
8/10/2019 Bro Cheat Sheets
4/6
sig
atches
e
Description
ts time
Timestamp of match
src_addr
addr
Host triggering the signature match event
src_port port
Host port on which the match occurred
dst_addr
addr Host which was sent the matching
payload
dst_port port
Port which was sent the matching payload
note
string Notice associated with the signature event
sig_id string Name of the signature that matched
event_msg string
More descriptive message
of
the event
sub_msg
string
Extracted payload data or extra message
sig_count count
Number
of sigs
host_count
count
Number of hosts
ts
uid
id
duration
version
community
get_requests
get_bulk_requests
get_responses
set_requests
display_string
up_since
ss.
og
time
string
conn_id
interval
string
string
count
count
count
count
string
time
Timestamp tunnel was detected
Connection unique id
ID record with orig/resp host/port.
See
Amount of time between first/latest packet in session
The version
of
SNMP being used
Community string
of
the first SNMP packet associated
w session; v & v2c only
Number
of
variable bindings in GetRequest/Next
Number of variable bindings in GetBulkRequest PDU
Number of variable bindings
in
GetResponse/Response PDUs
Number of variable bindings in SetRequest PDUs
System description of the SNMP responder endpoint
Time the
SNMP
responder claims it
has
been up since
SSL handshakes
v2.2
only;
v2.3
x509.1og)
Field
ts
uid
id
version
cipher
server_name
session_id
subject
issuer_subject
not_
valid_before
not_valid_after
last_alert
client_subject
clnt_issuer_subject
cert_hash
va I dation_status
-
Description
time Timestamp when the SSL connection was detected
string Connection unique id
record ID record with orig/resp host port. See
string
SSL
version that the server offered
string SSL cipher suite tha t the server chose
string Value
of
the Server Name Indicator
SSL
extension
string Session ID offered by the client for session
string
string
time
time
string
string
string
string
vector
resumption
Subject
of
the X.509 cert offered by the server
Signer Subject
of
the cert offered by the server
NotValidBefore field value from the server cert
NotValidAfter field value from the server cert
Last alert that was seen during the connection
Subject of the X.509 cert offered by the client
Subject
of
the signer
of
the cert offered by the client
MDS
hash
of
the raw server certificate
Certificate validation for this connection
=GCritica
~ t ack
software.
og
www.CriticaiStack.co
Software
identified by the software framework
Field
ts
host
host_p
software_ ype
name
version.major
version.minor
version.minor2
version.minor3
version.addl
unparsed_version
ssh.log
Description
time Timestamp of the detection
addr IP address running the software
port Port on which the software is running (for servers
string Type
of
software (e.g. HTIP::SERVER
string Name of the software
count
Major
version number of the software
count Minor version number of the software
count Minor subversion number of the software
count
Minor
update number of the software
string Additional version string (e.g. beta42)
string The full, unparsed version
of
the software
SSH
handsha es
Description
ts
time
Timestamp when the
SSH
connection was detected
uid
string Connection unique ID
id record
ID
record
with
orig/resp host/port.
See
status string
If the login was heuristically guessed to
be
a success
o
a failure .
direction
string Outbound or inbound connection
client string Software string from the client
server string
Software string from the server
resp_size
count Amount
of
data returned by the server
socks.log
SOCKS proxy requests
escription
ts time
uid
string
id record
version
count
user string
status string
request. host addr
request. name string
request_p
port
bound.host addr
bound.name
string
bound_p
port
syslog.log
Timestamp
of
request
Connection unique
id
ID
record with orig/resp host/port.
See
Protocol version of SOCKS
Username for proxy, if available
Server status for the
attempt
using proxy
Client requested address
Client requested name
Client requested port
Server bound address
Server bound name
Server bound port
Syslog essag s
I M M ~
Description
ts time Timestamp when the message was seen
uid
id
proto
facility
severity
string
record
transport_prot
string
string
Connection unique id
ID
record with orig/resp host/port. See
Protocol over which message was seen. Only
UDP
is
currently supported.
Syslog
facility for the message
Error
output
logging- LogAscii: :output_
to
_stdout
=
F&redef message string
Syslog
severi
ty for
the message
The plain text syslog message
4 2014 Critical Stack
LLC.
All rights reserved. Version: 2.
8/10/2019 Bro Cheat Sheets
5/6
r
o
time
src
addr
dst addr
proto
string
ts
uid
id
tunnel_type
action
time
string
trace
route
Description
Timestamp traceroute was detected
Address initiating the traceroute
Destination address
of the
trace route
Protocol used
for the
trace route
Timestamp tunnel was detected
Connection unique id
record
ID
record
with
orig/resp host/port.
See
string
The type of tunnel (e.g. Teredo,
IP
string The activity
that
occurred (discovered, closed)
x509 1og
x509
Certificate Analyzer Output
Field
-
Description
ts time Timestamp
of
the
detection
id Stri
ng
File
id of
this certificate
certif icate . record Certificate details
.version count Version numbe r
.serial string Serial number
.issuer string Certificate issuer
.not_valid_before time Timestamp before when certificate
is not
valid
.not_
valid_after
time Timestamp after when certificate
is
not
valid
.key_alg string Name of the key algorithm
.sig_alg
string
Name
of
the signature algorithm
.key_type string
Key
type,
if
key parseable openssl (rsa,
dsa or ec
.key_length
count Key
length
in
bits
.expo nent string Exponent,
if
RSA-certificate
.curve
string
Curve,
if
EC-certificate
san. record Subject Alternative Name
.dns string_vec
List
of DNS
entries
in
the
SAN
.ur i string_vec List of
URI
entries in the SAN
.email string_vec
List of email entries in the SAN
.ip
addr_vec List of
IP
entries
in
the
SAN
.other
_fields boo True
if
certificate contained other, unrecognized fields
basicconstraints.
record Basic
constraints extension of the certificate
.ca
boo
CA
fla set?
.path_len
count
Maximum path length
logcert boo T (present if policy/protocols/ssl/log-hostcerts-only.bro)
bro one liners
Field
=a critic l
t ack
Welrd log
www CriticaiStack co
Anomalies and protocol violations
s
time
uid
string
id record
name string
add string
notice boo
peer string
dex
Description
Timestamp
of
message
Connection unique id
ID
record with orig/resp host/port.
See
The name
of
the weird
that
occurred
Additional information accompanying the weird, if any
Indicate
if
this weird was also turned into a notice
The peer
that
generated this weird
Description
capture_loss 1
cluster
communication
dhcp 1
dnp3
dpd
known_certs
known_devices
known_hosts
known_services
loaded_scripts
packet_ ilter
radius
reporter
signatures
socks
software
ssh
ss
l
stats
stderr stdout
x509
weird
2
3
3
3
3
3
4
4
4
4
5
5
Estimate of packet loss
Diagnostics for cluster operation
Diagnostics
for
inter-process communications
DHCP
lease activity
Distributed
Network
Protocol {industrial control)
Diagnostics
for
dynamic protocol detection
Observed local SSL certs.
Each is
logged once/day
Observed local devices.
Each
is logged
once/day
Observed local active
IPs. Each
is logged
once/day
Observed local serv1ces.
Each IS
logged once/day
A list of scripts that
were
loaded at
startup
Any filters to limit the
traffic
being analyzed
radius authentic ation details
Internal errors and warnings
Matches
from the
signatures
framework
SOCKS proxy requests
Software identified
by the
software
framework
SSH
handshakes
SSL
handshakes (v2.2 only;
v2
.3 x509 .
1og
Diagnostics such
as mem
usage, packets seen, etc.
Output
1ogging
x509 Certificate Analyzer
Output
Anomalies and protoco l violations
bro
-C
-r
file.pcap local extract-all-files.bro Site::local_nets += {10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16}
Hey bro, ignore checksums and then read in file .pcap using the current local.bro and also load extract-all-files .bro
ADDING
the following subnets to your list of local_nets
less conn .log
I
bro-cut -d
I awk
'{split($0,
a,
\t );
if
{a[S]
==
10.2.2.2 ) print $0}'
First prin t
out
the conn.log and
send
the
output to
bro-cut; bro-cut replace the unix epoch time column
with
a human readable date (-d) and send the
output to
awk; awk
chop up
that
string at each tab and put each column int o
an
array
a;
if the fifth element,
a[S
is 10.2.2.2 please print the whole log line.
bro -C
-r http-partial-content-transfer .pcap policy/misc/dump-events.bro Packetfilter::default_capture_filter =\ host 54.230.103.187\
dump-events-host.log
Hey bro, read in this pcap and also load dump-events.bro, running with a BPF
so
you only look at traffic with this host and then append the
output
into this file.
cat conn.log
I
bro-cut id.orig_h id.resp_h or ig_bytes resp_bytes missed_bytes
I awk
'$5
>
10000'
Let
' s look for connections with high packet
loss
.
5
20
14
Cr
it i
cal
Stack
LLC.
All rights reserved . Version : 2.
8/10/2019 Bro Cheat Sheets
6/6
Navigating
in less
Command
q
up/down
arrow
left/right arrow
page up/down
g
G
F
/SSL
/ SSL
?malware
n
N
Description
Quit
Move up/down one line
Move left/right Y page; requires
less
-5
Move up/down one page
Go
to
the first line
Go to the last line
Go
to the last line; display any new lines. Ctri C
to exit
Search- go to the next line containing
'SSL'
Search- go
to
the next line NOT containing 'SSL'
Search- go
to
the previous line containing 'SSL'
Repeat a previous search
Repeat a previous search
in
the opposite direction
git
comman s
Command
git clone
[uri]
git status
git diff
git
add [file]
git diff -staged
git
reset [file]
gitcommit
git
branch
git branch [name]
git checkout [branch]
git merge [branch]
Descri
ption
Downloads a project and the entire version history
Lists all new or modified files
to
be committed
Shows file differences
not
yet staged
Snapshots the file in preparation for versioning
Shows file differences between staging & last version.
Unstages the file and preserves contents
Records snapshot; add
m
msg for comment
Show all branches in current repo; -a
for
all branches
Create a new branch
Switches to the specified branch updates the working
directory.
Comines the specified branch's history into the current branch.
g
t
all toge er
Command Description
Command
cdlogs
cd /logs
cd ..
cd-
cd -
acritic
t a ck
www CriticaiStack co
Move to the logs directory, which
is
located in
the
current directory.
Move to the logs directory, which is located in the
top-level directory.
Move up one directory.
Move
to
your home directory ( tilde is
to the
left of
the 1 key).
Move to the directory you were previously in .
ewi an
rc
Command
cat conn.log
cat *.log
head conn.log
head -n 20 conn log
tail conn.log
tail
-n
30 conn.log
tail -F conn.log
grep SSL notice.log
grep -v SSL notice.log
grep 'mal
ware'
data.
xt
grep -F 1.2.3.4
grep
c
dosexec files log
less conn.log
less -s conn.log
Description
Display data.txt
Display all files that end in .log
Display the first 10 lines of conn.log
Display the first 20 lines of conn.log
Display the last 10 lines of conn.log
Display
the
last 30 lines
of
conn.log
Display last 10 lines cont inue new lines
Note:
Ctrl
C
o
exit
Display lines in notice.log that contain SSL
Display lines in notice.log with out SSL
Search item w/ spaces using single quotes .
Search for phrases
with
periods
How many lines in files.log contain dosexec
Display conn.log in less (see right)
Display
with
side-to-side scrolling
I aka pipe
grep SSL notice.log I tail
-n
30
grep SSL notice.log I grep
i
cat data. xt I sort
Pass the output of one command to another command.
Display the last 30 lines in notice.log
that
contain SSL .
Display lines in notice.log containing SSL and google in any case (upper/lower mix).
Display data. xt, sorted alphabetically.
cat data.txt I sort I
uniq
cat data.txt I sort I uniq
c
Display data. xt, sorted alphabetically, with duplicates removed .
Display data. xt, sorted alphabetically, with duplicates removed and a count of each occurrence.
Display, sort, count of distinct, ordered from least
to
most
at data.txt
I
sort
I uniq c I sort -n
cat notice.log
I
bro-cut note
I sort I uniq c I sort
-n
cat http log I bro-cut
d
ts method host uri
What are the most popular notices?
Only display timestamp, method, host and URI and convert timestamp to human readable.
Command
Phone:
Email:
Web:
Git:
Twitter:
pgp
6
Contact Critical
Stack
Descri tion
202-559-5200
http://www.CriticaiStack.com
https ://githu
b.com/
Critica ISta ck/
@CriticaiStack
Oxc255d63501b80df9
Consulting
Training
Support
for the ra Platform
Developing high performance
solutions around the ra Platform
2014 Critical Stack
LLC.
All rights reserved. Version : 2