CERT/CC
background
background
CERT NetSA Security Suite 
Open Source Tools for Network Monitoring 
News | Documentation | Downloads
YAF 0.8.1 | NAF 0.6.0 | SiLK 1.0.1 | RAVE 1.9.9
fixbuf 0.7.3 | ipa 0.2.1 | airdbc 0.2.2 | airframe 0.7.2 | Portal 0.8.0
SiLK - Documentation - rwscanquery
Documentation | Downloads | Release Notes | FAQ | License | Credits | Reference Data | Live CD

NAME

rwscanquery - Query the network scan database

SYNOPSIS

 rwscanquery [options]

Report Options:

  --start-date=yyyy/mm/dd:hh Report on scans active after this date.
  --end-date=yyyy/mm/dd:hh   Defaults to start-date.
  --report=type              Select query and output options.  Allowed values
                             for "type" are standard, volume, scanset
                             scanflows, respflows, and export
  --saddress=addr-spec       Show scans originating from matching hosts.
  --sipset=set-file          Show scans originating from hosts in set.
  --daddress=addr-spec       Show only scans targeting matching hosts.
  --dipset=set-file          Show only scans targeting hosts in set.
  --show-header              Display column header at start of output.
  --columnar                 Display more human-readable columnar view.
  --output-path=path         Write results to the specified file.

Configuration Options:

  --database=dbname          Query an alternate scan database

Help Options:

  --help                     Display this brief help message.
  --man                      Display the full documentation.

DESCRIPTION

rwscanquery queries the network scan database. Selection criteria and output formats are specified via command line options described below. Output will go to standard output by default, or output_file if one is specified.

REPORT OPTIONS

--start-date=yyyy/mm/dd:hh
Display scans which were active after this hour. If this argument contains a date with no hour, and no --start-date option is specified, scans for that entire day will be returned. If this option is not specified at all, scans for the current day (based on the local time on the host machine) will be returned.
Example:
  rwscanquery --start-date=2005/04/19:21

This command would display information on all scans occurring in the hour from 21:00 up to but not including 22:00 on April 19, 2005.

--end-date=yyyy/mm/dd:hh
Display scans which were active before the end of this hour. If no end-date is given, defaults to the same as start-date.
Example:
  rwscanquery --start-date=2005/04/19:21 --end-date=2005/04/19:22

This command would display information on all scans occurring after or including 21:00 on 2005/04/19, up through but not including 23:00 on 2005/04/19.

--report=type
Specifies query and output options based on one of the following types:
standard
Writes one line of output for each scan record in the scan database. The format of this output can be altered with the --columnar option described below.

volume
Writes a daily scan activity volume summary report for each day within the time period. The format of this output can be altered with the --show-header and --columnar options described below.

scanset
Writes an IP set file containing the IP addresses which were the sources of scan activity during the selected time period.

scanflows
Writes a SiLK Flow file containing all flows originating from scanning IP addresses within the specified time period. This flow data will include flows originating from any host that would be listed as a scan source by your query, from any time within the time period specified by --start-date and --end-date. Note that this may include flows that were not identified by the scan analysis as being part of a scan.

respflows
Writes a SiLK Flow file containing all flows sent to scanning IP addresses within the specified time period.

export
Write output consistent with the output format of the rwscan(1) tool.

If no --report option is specified, the default is the ``standard'' report.

--saddress=addr-spec
Display scans originating from hosts described in addr-spec. addr-spec should be a list of addresses, address ranges, and CIDR blocks. Only scans originating at hosts in the list will be displayed.
Example:
  rwscanquery --start-date=2005/04/19:21 \
    --saddress=192.168/16,127.0.0.1,255.255.255.0-255.255.255.255

This command would display queries originating from addresses in the slash-16 block 192.168, or from address 127.0.0.1, or from any address between 255.255.255.0 and 255.255.255.255, inclusive.

--sipset=set-file
Display scans originating from hosts in set-file. set-file should be a standard SiLK ipset file. Note that a very complex set may take a long time to process, or even fail to return any results.
Example:
  rwscanquery --start-date=2005/04/19:21 --sipset=MyIPSet.set

This command would display information on all scans in the given hour which had a source address in the IP set file MyIPSet.set.

--daddress=ip-mask
Display scans targeting hosts described in ip-mask. This option accepts only a single IP address or wildcard expression as described in rwfilter(1). To match on multiple IPs or networks, use the --dipset option.

--dipset=set-file
Display scans targeting hosts in set-file. set-file should be a standard SiLK ipset file. Note that a very complex set may take a long time to process, or even fail to return any results.

--show-header
Displays a header with a short name for each column as the first line of output. By default, no header is displayed.

--columnar
Display output in more human-readable columnar format. By default, the output is presented as data fields delimited by the `|' character.

--output-path
Write results to the specified pathname instead of standard output.

CONFIGURATION OPTIONS

--database=dbname
Select a database instance other than the default, which comes from the rwscan configuration file described below.

OTHER OPTIONS

--help
Displays a brief usage message and exits.

--man
Displays full documentation and exits. Better formatting may be achieved by using `perldoc .../rwscanquery' instead.

CONFIGURATION

rwscanquery reads certain configuration information from a file named .rwscanrc. This file is first looked for in the current user's home directory, and if not found, one directory up from where rwscanquery is located. The format of this file is name=value pairs, one per line.

The configuration parameters currently read from .rwscanrc are:

db_driver
The type of database to connect to. ``oracle'', ``postgresql'', and ``mysql'' are currently supported.

db_userid
The userid used to connect to the scan database.

db_password
The password used to connect to the scan database.

db_instance
The name of the database instance to connect to if none is provided with the --database command line switch. If neither this configuration option nor the --database command line option are specified, the hard-coded default database instance ``SCAN'' will be used.

rw_in_class
The input class used to query scan flows. Used for the ``scanflows'' report type. If not specified, rwfilter's default will be used.

rw_in_type
The input type(s) used to query scan flows. Used for the ``scanflows'' report type. If not specified, rwfilter's default will be used.

rw_out_class
The ouput class used to query scan flows. Used for the ``respflows'' report type. If not specified, rwfilter's default will be used.

rw_out_type
The ouput type used to query scan flows. Used for the ``respflows'' report type. If not specified, rwfilter's default will be used.

SEE ALSO

rwscan(1), rwfilter(1)

YAF | NAF | SiLK | RAVE | fixbuf | ipa | airdbc | airframe | Portal
SiLK is part of the NetSA Security Suite, developed by the CERT NetSA group
at the Software Engineering Institute at Carnegie Mellon University.

© 2002-2008 Carnegie Mellon University