I. Introduction
I had the opportunity to come into contact with this software, and it was a picture of a colleague. The picture introduced the open source project Zed and Brim, a full-flow security product based on Zed. The whole product is actually a small integration of many open source projects, so I am interested in it. In addition to the reason why brim has 1.5k stars on github, what attracts me more is that it uses a new data structure, hyperstructured The data model, through this structure, can integrate data compression, indexing, and data analysis, without using various databases and NoSQL for data storage, which is simple and convenient.
Two Zed and its supported formats
In simple terms, Zed is an open source command-line tool that can operate Zed's new hyperstructured model data. In terms of complexity, you can see the official explanation:
1. zed 数据模型和语义的抽象定义;
2. zed是ZNG、VNG、ZSON格式、这些格式都遵循相同的Zed数据模型。
3. zed是存储可选索引的Zed数据模型。
4. zed是一种数据流语言、可以执行查询、搜索、分析、转换或上面的组合;
2.1 Zed data model
Zed data is an ordered sequence of one or more typed data values, which can support primitive data types in common programming languages such as:
uint8(无符号8位整数)
decimal128(IEEE-754 十进制128)
bytes(8字节的有界序列)
...
ip(ipv4、ipv6)
net (IPv4 或 IPv6 地址和网络掩码)
type 一个zed类型值
null(空类型)
Complex data types are also supported:
record - 具有零个或多个排序的集合、每个称字段
array、set、map、union、enum、error
2.2 Formats supported by Zed
zed raw formats include ZNG, VNG and ZSON. ZNG is an efficient, sequence-oriented serialization format, suitable for any data, similar to Apache Avro, has no structure definition, and embeds all type information in the data stream. ZSON is a human-readable, text-based serialization format hyperstructured data format. VNG, pronounced "ving", is a file format for columnar data based on the Zed data model.
In addition to supporting the above three Zed data model formats, it also supports arrows, json, csv, parquent, zjson, zeek (and other formats).
Sanbrim is a pcap analysis tool based on zed data model
3.1 Brief description of brim
brim is a pcap tool for analyzing zed data models. Compared with wireshark, the analysis speed is faster, and it can be linked with wireshark to obtain more analysis through wireshark. Compared with wireshark, brim is faster of many:
Brim official description:
Brim 是一个用于安全和网络的开源桌面应用程序 专家。Brim 可以轻松搜索和分析来自以下方面的数据:
* 数据包捕获,如[Wireshark](https://www.wireshark.org/)创建的数据包捕获,以及
* 结构化日志,尤其是来自[Zeek](https://www.zeek.org/)网络分析框架的日志。
Brim 对于需要处理大型数据包捕获的安全和网络运营商特别有用, 尤其是那些对于 Wireshark、tshark 或其他数据包分析器来说很麻烦的。
From the point of view of my understanding, it is a combination of the following software, as follows:
The brim background uses brimcap to convert the pcap file into zng format, and uses zeek and suricat tools to further enrich the analysis information, and then brim UI uses zed to analyze the zng file for display.
You can see the official picture:
3.2 Instructions for use of brim
Compared with wireshark, brim's analysis of pcap is much faster. The interface is as shown in the figure below: Drag and drop the pcap file into the red box as shown above to analyze it. Let's see what the analysis looks like.
You can click on the menu at the lower left foot (which also contains suricata alarm information) to call up the analysis command, for example, click on the first Activity Overview as shown below:
After clicking, the zq command will be displayed in the input field. The following data supports two formats, one is a table, and the other is a json-like data format. Tree data structure display:
3.3 Detailed Analysis
We can click the protocol name in the list, right-click, and select Open details to get the information as shown in the figure below:
In the details, you can see the flow information and the transmitted http and file information:
Clicking on the file will display the md5 value of the file. Right-click VirusTotal lookup to check whether the file is a malicious Trojan, etc.:
We can also query domain name information by right-clicking Whois Lookup to view domain name details:
The input column of brim is the command of zq, copy this command and run it directly on the command line.
Four open source addresses
Brim open source address: https://github.com/brimdata/brim zed open source address: https://github.com/brimdata/zed brimcap open source address: https://github.com/brimdata/brimcap