Added some basic examples and modified a number of pig files and vis for

the BlackHat EU presentation
packetloop · Apr 17, 2012 · 795448b · 795448b
1 parent cecd1ac
commit 795448b
Show file tree

Hide file tree

Showing 5 changed files with 88 additions and 2 deletions.
diff --git a/pig/examples/basic_http.pig b/pig/examples/basic_http.pig
@@ -0,0 +1,19 @@
+%DEFAULT prefix pig
+RUN $prefix/include.pig;
+
+%DEFAULT time 60
+--%DEFAULT field 'etag'
+--%DEFAULT field 'referer'
+%DEFAULT field 'user-agent'
+--%DEFAULT field 'set-cookie'
+
+http_conversations = LOAD '$pcap' USING com.packetloop.packetpig.loaders.pcap.protocol.HTTPConversationLoader('$field') AS (
+    ts:long,
+    src:chararray,
+    sport:int,
+    dst:chararray,
+    dport:int,
+    field:chararray
+);
+
+DUMP http_conversations;
diff --git a/pig/examples/basic_snort.pig b/pig/examples/basic_snort.pig
@@ -0,0 +1,12 @@
+%DEFAULT includepath pig/include.pig
+RUN $includepath;
+
+%DEFAULT snortconfig 'lib/snort/etc/snort.conf'
+
+snort_alerts =
+  LOAD '$pcap'
+  USING com.packetloop.packetpig.loaders.pcap.detection.SnortLoader('$snortconfig')
+  AS (ts:long, sig:chararray, priority:int, message:chararray, proto:chararray,
+    src:chararray, dst:chararray, sport:int, dport:int);
+
+DUMP snort_alerts;
diff --git a/pig/examples/basic_summary.pig b/pig/examples/basic_summary.pig
@@ -0,0 +1,47 @@
+%DEFAULT includepath pig/include.pig
+RUN $includepath;
+
+%DEFAULT time 60
+
+packets = load '$pcap' using com.packetloop.packetpig.loaders.pcap.packet.PacketLoader() AS (
+    ts,
+
+    ip_version:int,
+    ip_header_length:int,
+    ip_tos:int,
+    ip_total_length:int,
+    ip_id:int,
+    ip_flags:int,
+    ip_frag_offset:int,
+    ip_ttl:int,
+    ip_proto:int,
+    ip_checksum:int,
+    ip_src:chararray,
+    ip_dst:chararray,
+
+    tcp_sport:int,
+    tcp_dport:int,
+    tcp_seq_id:long,
+    tcp_ack_id:long,
+    tcp_offset:int,
+    tcp_ns:int,
+    tcp_cwr:int,
+    tcp_ece:int,
+    tcp_urg:int,
+    tcp_ack:int,
+    tcp_psh:int,
+    tcp_rst:int,
+    tcp_syn:int,
+    tcp_fin:int,
+    tcp_window:int,
+    tcp_len:int,
+
+    udp_sport:int,
+    udp_dport:int,
+    udp_len:int,
+    udp_checksum:chararray
+);
+summary = group packets all;
+summary = FOREACH packets GENERATE COUNT(ip_total_length);
+
+DUMP summary;
diff --git a/r/examples/dns_response_ttl.r b/r/examples/dns_response_ttl.r
@@ -5,6 +5,4 @@ dns <- read.csv("output/dns_response_ttl/part-r-00000", header=F)
 pdf(file="output/dns_response_ttl/plot.pdf")
 
 ggplot(dns, aes(x=dns$V2, y=dns$V1)) + geom_point(shape=4)
-ggplot(dns, aes(x=dns$V2, y=dns$V3)) + geom_point(shape=4)
-ggplot(dns, aes(x=dns$V2, y=dns$V3)) + geom_point(shape=4) + facet_grid(V1~.)
 qplot(x=dns$V2, stat='density', geom='line', ylab="Density")
diff --git a/r/examples/dns_response_ttl_facets.r b/r/examples/dns_response_ttl_facets.r
@@ -0,0 +1,10 @@
+library("ggplot2")
+
+dns <- read.csv("output/dns_response_ttl/part-r-00000", header=F)
+
+pdf(file="output/dns_response_ttl/plot.pdf")
+
+ggplot(dns, aes(x=dns$V2, y=dns$V1)) + geom_point(shape=4)
+ggplot(dns, aes(x=dns$V2, y=dns$V3)) + geom_point(shape=4)
+ggplot(dns, aes(x=dns$V2, y=dns$V3)) + geom_point(shape=4) + facet_grid(V1~.)
+qplot(x=dns$V2, stat='density', geom='line', ylab="Density")