{ "cells": [ { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "3y8D8k6UPYrq" }, "source": [ "# GRR Colab" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": {}, "colab_type": "code", "id": "MhnEhE_498Zd" }, "outputs": [], "source": [ "%load_ext grr_colab.ipython_extension" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": {}, "colab_type": "code", "id": "RmAtn57P98Zg" }, "outputs": [], "source": [ "import grr_colab" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "rWf9o5nl98Zi" }, "source": [ "Specifying GRR Colab flags:" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": {}, "colab_type": "code", "id": "-jh2NybI98Zj" }, "outputs": [], "source": [ "grr_colab.flags.FLAGS.set_default('grr_http_api_endpoint', 'http://localhost:8000/')\n", "grr_colab.flags.FLAGS.set_default('grr_admin_ui_url', 'http://localhost:8000/')\n", "grr_colab.flags.FLAGS.set_default('grr_auth_api_user', 'admin')\n", "grr_colab.flags.FLAGS.set_default('grr_auth_password', 'admin')" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "OJaMYRetyoZS" }, "source": [ "## Magics API" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "SDKewNOmhhDJ" }, "source": [ "GRR magics allow to search for clients and then to choose a single client to work with. The results of magics are represented as pandas dataframes unless they are primitives." ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "oPwJovFiPkkX" }, "source": [ "### Searching clients" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "lQYg5faIhS98" }, "source": [ "You can search for clients by specifying username, hostname, client labels etc. The results are sorted by the last seen column." ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 216 }, "colab_type": "code", "executionInfo": { "elapsed": 901, "status": "ok", "timestamp": 1563351594504, "user_tz": -120 }, "id": "jgzKnDyJRNwj", "outputId": "f246ce78-538a-4bcb-c92a-7a560401b3d8" }, "outputs": [ { "data": { "text/html": [ "\u003cdiv\u003e\n", "\u003cstyle scoped\u003e\n", " .dataframe tbody tr th:only-of-type {\n", " vertical-align: middle;\n", " }\n", "\n", " .dataframe tbody tr th {\n", " vertical-align: top;\n", " }\n", "\n", " .dataframe thead th {\n", " text-align: right;\n", " }\n", "\u003c/style\u003e\n", "\u003ctable border=\"1\" class=\"dataframe\"\u003e\n", " \u003cthead\u003e\n", " \u003ctr style=\"text-align: right;\"\u003e\n", " \u003cth\u003e\u003c/th\u003e\n", " \u003cth\u003eonline\u003c/th\u003e\n", " \u003cth\u003eonline.pretty\u003c/th\u003e\n", " \u003cth\u003eclient_id\u003c/th\u003e\n", " \u003cth\u003elast_seen_ago\u003c/th\u003e\n", " \u003cth\u003elast_seen_at.pretty\u003c/th\u003e\n", " \u003c/tr\u003e\n", " \u003c/thead\u003e\n", " \u003ctbody\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e0\u003c/th\u003e\n", " \u003ctd\u003eonline\u003c/td\u003e\n", " \u003ctd\u003e🌕\u003c/td\u003e\n", " \u003ctd\u003eC.dc3782aeab2c5b4c\u003c/td\u003e\n", " \u003ctd\u003e0 seconds ago\u003c/td\u003e\n", " \u003ctd\u003e2019-08-30 09:53:28.039821\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003c/tbody\u003e\n", "\u003c/table\u003e\n", "\u003c/div\u003e" ], "text/plain": [ " online online.pretty client_id last_seen_ago \\\n", "0 online 🌕 C.dc3782aeab2c5b4c 0 seconds ago \n", "\n", " last_seen_at.pretty \n", "0 2019-08-30 09:53:28.039821 " ] }, "execution_count": 65, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "df = %grr_search_clients -u admin\n", "df[['online', 'online.pretty', 'client_id', 'last_seen_ago', 'last_seen_at.pretty']]" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "81mMQ1oZw4Pq" }, "source": [ "There is a shortcut for searching for online only clients directly so that you don't need to filter the dataframe." ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 168 }, "colab_type": "code", "executionInfo": { "elapsed": 1946, "status": "ok", "timestamp": 1563984753775, "user_tz": -120 }, "id": "dlVH_YmwAJYH", "outputId": "27595944-0c82-4a93-cfa3-f6bfdc0fb716" }, "outputs": [ { "data": { "text/html": [ "\u003cdiv\u003e\n", "\u003cstyle scoped\u003e\n", " .dataframe tbody tr th:only-of-type {\n", " vertical-align: middle;\n", " }\n", "\n", " .dataframe tbody tr th {\n", " vertical-align: top;\n", " }\n", "\n", " .dataframe thead th {\n", " text-align: right;\n", " }\n", "\u003c/style\u003e\n", "\u003ctable border=\"1\" class=\"dataframe\"\u003e\n", " \u003cthead\u003e\n", " \u003ctr style=\"text-align: right;\"\u003e\n", " \u003cth\u003e\u003c/th\u003e\n", " \u003cth\u003eonline\u003c/th\u003e\n", " \u003cth\u003eonline.pretty\u003c/th\u003e\n", " \u003cth\u003eclient_id\u003c/th\u003e\n", " \u003cth\u003elast_seen_ago\u003c/th\u003e\n", " \u003cth\u003elast_seen_at.pretty\u003c/th\u003e\n", " \u003c/tr\u003e\n", " \u003c/thead\u003e\n", " \u003ctbody\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e0\u003c/th\u003e\n", " \u003ctd\u003eonline\u003c/td\u003e\n", " \u003ctd\u003e🌕\u003c/td\u003e\n", " \u003ctd\u003eC.dc3782aeab2c5b4c\u003c/td\u003e\n", " \u003ctd\u003e0 seconds ago\u003c/td\u003e\n", " \u003ctd\u003e2019-08-30 09:53:38.331647\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003c/tbody\u003e\n", "\u003c/table\u003e\n", "\u003c/div\u003e" ], "text/plain": [ " online online.pretty client_id last_seen_ago \\\n", "0 online 🌕 C.dc3782aeab2c5b4c 0 seconds ago \n", "\n", " last_seen_at.pretty \n", "0 2019-08-30 09:53:38.331647 " ] }, "execution_count": 66, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "df = %grr_search_online_clients -u admin\n", "df[['online', 'online.pretty', 'client_id', 'last_seen_ago', 'last_seen_at.pretty']]" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "z4SgDQKzAaGC" }, "source": [ "Every datetime field has two representations: the original one that is microseconds and the pretty one that is pandas timestamp. " ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 80 }, "colab_type": "code", "executionInfo": { "elapsed": 256, "status": "ok", "timestamp": 1563983824534, "user_tz": -120 }, "id": "8G5Q5udIASP_", "outputId": "c6c088bc-0171-4b3f-e9a9-0d1e820d05d5" }, "outputs": [ { "data": { "text/html": [ "\u003cdiv\u003e\n", "\u003cstyle scoped\u003e\n", " .dataframe tbody tr th:only-of-type {\n", " vertical-align: middle;\n", " }\n", "\n", " .dataframe tbody tr th {\n", " vertical-align: top;\n", " }\n", "\n", " .dataframe thead th {\n", " text-align: right;\n", " }\n", "\u003c/style\u003e\n", "\u003ctable border=\"1\" class=\"dataframe\"\u003e\n", " \u003cthead\u003e\n", " \u003ctr style=\"text-align: right;\"\u003e\n", " \u003cth\u003e\u003c/th\u003e\n", " \u003cth\u003elast_seen_at\u003c/th\u003e\n", " \u003cth\u003elast_seen_at.pretty\u003c/th\u003e\n", " \u003c/tr\u003e\n", " \u003c/thead\u003e\n", " \u003ctbody\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e0\u003c/th\u003e\n", " \u003ctd\u003e1567158818331647\u003c/td\u003e\n", " \u003ctd\u003e2019-08-30 09:53:38.331647\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003c/tbody\u003e\n", "\u003c/table\u003e\n", "\u003c/div\u003e" ], "text/plain": [ " last_seen_at last_seen_at.pretty\n", "0 1567158818331647 2019-08-30 09:53:38.331647" ] }, "execution_count": 67, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "df[['last_seen_at', 'last_seen_at.pretty']]" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "yM7mCpdARaPb" }, "source": [ "### Setting current clients" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "5aVFfVSsA-cH" }, "source": [ "To work with a client you need to select a client first. It means that you are able to work only with a single client simultaneously using magic commands (there is no such restriction for Python API). To set a client you need either a hostname (works in case of one client set up for that hostname) or a client ID which you can get from the search clients dataframe." ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 34 }, "colab_type": "code", "executionInfo": { "elapsed": 296, "status": "ok", "timestamp": 1563984754202, "user_tz": -120 }, "id": "XciCbMseRSXL", "outputId": "9639a804-6d28-400b-9219-b1612d46f394" }, "outputs": [ { "data": { "text/plain": [ "'C.dc3782aeab2c5b4c'" ] }, "execution_count": 68, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "client_id = df['client_id'][0]\n", "%grr_set_client -c {client_id}\n", "\n", "%grr_id" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "R_Fweq-uF5zM" }, "source": [ "An attempt to set a client with a hostname that has multiple clients will lead to an exception." ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "zGczuyXNGmVK" }, "source": [ "### Requesting approvals" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "A6dCjbPFGv-i" }, "source": [ "If you don't have valid approvals for the selected client, you will get an error while attempting to run a flow on it. You can request an approval with magic commands specifying the reason and list of approvers." ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": {}, "colab_type": "code", "id": "1lvg4vOaHG8Y" }, "outputs": [], "source": [ "%grr_request_approval -r \"For testing\" -a admin" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "sdO19hBwHZ_Y" }, "source": [ "This function will not wait until the approval is granted. If you need your code to wait until it's granted, use `grr_request_approval_and_wait` instead." ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "xNA5DjocGF70" }, "source": [ "### Exploring filesystem" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "qZYQPlUWHw1e" }, "source": [ "In addition to the selected client, working directory is also saved. It means that you can use relative paths instead of absolute. Note that the existence of directories is not checked and you will not get an error if you try to cd into directory that does not exist." ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "2JDhzxv2IX_U" }, "source": [ "Initially you are in the root directory." ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 34 }, "colab_type": "code", "executionInfo": { "elapsed": 32, "status": "ok", "timestamp": 1564580365581, "user_tz": -120 }, "id": "tKbefgf4R9jz", "outputId": "9d1fe7b7-d26a-47ca-b3e8-0f8accc906fc" }, "outputs": [ { "data": { "text/plain": [ "'/'" ] }, "execution_count": 69, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "%grr_pwd" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 34 }, "colab_type": "code", "executionInfo": { "elapsed": 47, "status": "ok", "timestamp": 1564580368172, "user_tz": -120 }, "id": "lv1Ly-16Idnv", "outputId": "8bfb676c-f8cf-4929-8a22-9db3f12f8b60" }, "outputs": [ { "data": { "text/plain": [ "'/tmp/foo/bar'" ] }, "execution_count": 70, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "%grr_cd tmp/foo/bar\n", "%grr_pwd" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 34 }, "colab_type": "code", "executionInfo": { "elapsed": 55, "status": "ok", "timestamp": 1564580370573, "user_tz": -120 }, "id": "QamW8iCHInMs", "outputId": "505924a2-dc88-4957-a103-35620a8d8e7d" }, "outputs": [ { "data": { "text/plain": [ "'/tmp/foo/baz'" ] }, "execution_count": 71, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "%grr_cd ../baz\n", "%grr_pwd" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "arrQ02UhKmlY" }, "source": [ "You can ls the current directory and any other directories specified by relative and absolute paths." ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "4iA1RP9UOvGY" }, "source": [ "**Note**. The most file-related magics start flows and fetch live data from the client. It means that the client has to be online in order for them to work." ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 193 }, "colab_type": "code", "executionInfo": { "elapsed": 16697, "status": "ok", "timestamp": 1563351630457, "user_tz": -120 }, "id": "DLwaNBDcJ0Iq", "outputId": "39d2e72a-fe03-4957-bdc1-a22f2bbcb61d" }, "outputs": [ { "data": { "text/html": [ "\u003cdiv\u003e\n", "\u003cstyle scoped\u003e\n", " .dataframe tbody tr th:only-of-type {\n", " vertical-align: middle;\n", " }\n", "\n", " .dataframe tbody tr th {\n", " vertical-align: top;\n", " }\n", "\n", " .dataframe thead th {\n", " text-align: right;\n", " }\n", "\u003c/style\u003e\n", "\u003ctable border=\"1\" class=\"dataframe\"\u003e\n", " \u003cthead\u003e\n", " \u003ctr style=\"text-align: right;\"\u003e\n", " \u003cth\u003e\u003c/th\u003e\n", " \u003cth\u003est_mode\u003c/th\u003e\n", " \u003cth\u003est_mode.pretty\u003c/th\u003e\n", " \u003cth\u003est_ino\u003c/th\u003e\n", " \u003cth\u003est_dev\u003c/th\u003e\n", " \u003cth\u003est_nlink\u003c/th\u003e\n", " \u003cth\u003est_uid\u003c/th\u003e\n", " \u003cth\u003est_gid\u003c/th\u003e\n", " \u003cth\u003est_size\u003c/th\u003e\n", " \u003cth\u003est_atime\u003c/th\u003e\n", " \u003cth\u003est_mtime\u003c/th\u003e\n", " \u003cth\u003est_ctime\u003c/th\u003e\n", " \u003cth\u003est_blocks\u003c/th\u003e\n", " \u003cth\u003est_blksize\u003c/th\u003e\n", " \u003cth\u003est_rdev\u003c/th\u003e\n", " \u003cth\u003epathspec.pathtype\u003c/th\u003e\n", " \u003cth\u003epathspec.path\u003c/th\u003e\n", " \u003cth\u003epathspec.path_options\u003c/th\u003e\n", " \u003cth\u003est_flags_osx\u003c/th\u003e\n", " \u003cth\u003est_flags_linux\u003c/th\u003e\n", " \u003c/tr\u003e\n", " \u003c/thead\u003e\n", " \u003ctbody\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e0\u003c/th\u003e\n", " \u003ctd\u003e16877\u003c/td\u003e\n", " \u003ctd\u003edrwxr-xr-x\u003c/td\u003e\n", " \u003ctd\u003e17696532\u003c/td\u003e\n", " \u003ctd\u003e65025\u003c/td\u003e\n", " \u003ctd\u003e2\u003c/td\u003e\n", " \u003ctd\u003e585945\u003c/td\u003e\n", " \u003ctd\u003e89939\u003c/td\u003e\n", " \u003ctd\u003e4096\u003c/td\u003e\n", " \u003ctd\u003e1567157599\u003c/td\u003e\n", " \u003ctd\u003e1567157599\u003c/td\u003e\n", " \u003ctd\u003e1567157599\u003c/td\u003e\n", " \u003ctd\u003e8\u003c/td\u003e\n", " \u003ctd\u003e4096\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003eOS\u003c/td\u003e\n", " \u003ctd\u003e/tmp/foo/baz/dir1\u003c/td\u003e\n", " \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003e524288\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e1\u003c/th\u003e\n", " \u003ctd\u003e16877\u003c/td\u003e\n", " \u003ctd\u003edrwxr-xr-x\u003c/td\u003e\n", " \u003ctd\u003e17832583\u003c/td\u003e\n", " \u003ctd\u003e65025\u003c/td\u003e\n", " \u003ctd\u003e3\u003c/td\u003e\n", " \u003ctd\u003e585945\u003c/td\u003e\n", " \u003ctd\u003e89939\u003c/td\u003e\n", " \u003ctd\u003e4096\u003c/td\u003e\n", " \u003ctd\u003e1567157734\u003c/td\u003e\n", " \u003ctd\u003e1567157599\u003c/td\u003e\n", " \u003ctd\u003e1567157599\u003c/td\u003e\n", " \u003ctd\u003e8\u003c/td\u003e\n", " \u003ctd\u003e4096\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003eOS\u003c/td\u003e\n", " \u003ctd\u003e/tmp/foo/baz/dir2\u003c/td\u003e\n", " \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003e524288\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e2\u003c/th\u003e\n", " \u003ctd\u003e33188\u003c/td\u003e\n", " \u003ctd\u003e-rw-r--r--\u003c/td\u003e\n", " \u003ctd\u003e17696534\u003c/td\u003e\n", " \u003ctd\u003e65025\u003c/td\u003e\n", " \u003ctd\u003e1\u003c/td\u003e\n", " \u003ctd\u003e585945\u003c/td\u003e\n", " \u003ctd\u003e89939\u003c/td\u003e\n", " \u003ctd\u003e70\u003c/td\u003e\n", " \u003ctd\u003e1567158029\u003c/td\u003e\n", " \u003ctd\u003e1567157649\u003c/td\u003e\n", " \u003ctd\u003e1567157649\u003c/td\u003e\n", " \u003ctd\u003e8\u003c/td\u003e\n", " \u003ctd\u003e4096\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003eOS\u003c/td\u003e\n", " \u003ctd\u003e/tmp/foo/baz/file1\u003c/td\u003e\n", " \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003e524288\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e3\u003c/th\u003e\n", " \u003ctd\u003e33188\u003c/td\u003e\n", " \u003ctd\u003e-rw-r--r--\u003c/td\u003e\n", " \u003ctd\u003e17696533\u003c/td\u003e\n", " \u003ctd\u003e65025\u003c/td\u003e\n", " \u003ctd\u003e1\u003c/td\u003e\n", " \u003ctd\u003e585945\u003c/td\u003e\n", " \u003ctd\u003e89939\u003c/td\u003e\n", " \u003ctd\u003e23\u003c/td\u003e\n", " \u003ctd\u003e1567158209\u003c/td\u003e\n", " \u003ctd\u003e1567157627\u003c/td\u003e\n", " \u003ctd\u003e1567157627\u003c/td\u003e\n", " \u003ctd\u003e8\u003c/td\u003e\n", " \u003ctd\u003e4096\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003eOS\u003c/td\u003e\n", " \u003ctd\u003e/tmp/foo/baz/file2\u003c/td\u003e\n", " \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003e524288\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003c/tbody\u003e\n", "\u003c/table\u003e\n", "\u003c/div\u003e" ], "text/plain": [ " st_mode st_mode.pretty st_ino st_dev st_nlink st_uid st_gid \\\n", "0 16877 drwxr-xr-x 17696532 65025 2 585945 89939 \n", "1 16877 drwxr-xr-x 17832583 65025 3 585945 89939 \n", "2 33188 -rw-r--r-- 17696534 65025 1 585945 89939 \n", "3 33188 -rw-r--r-- 17696533 65025 1 585945 89939 \n", "\n", " st_size st_atime st_mtime st_ctime st_blocks st_blksize \\\n", "0 4096 1567157599 1567157599 1567157599 8 4096 \n", "1 4096 1567157734 1567157599 1567157599 8 4096 \n", "2 70 1567158029 1567157649 1567157649 8 4096 \n", "3 23 1567158209 1567157627 1567157627 8 4096 \n", "\n", " st_rdev pathspec.pathtype pathspec.path pathspec.path_options \\\n", "0 0 OS /tmp/foo/baz/dir1 CASE_LITERAL \n", "1 0 OS /tmp/foo/baz/dir2 CASE_LITERAL \n", "2 0 OS /tmp/foo/baz/file1 CASE_LITERAL \n", "3 0 OS /tmp/foo/baz/file2 CASE_LITERAL \n", "\n", " st_flags_osx st_flags_linux \n", "0 0 524288 \n", "1 0 524288 \n", "2 0 524288 \n", "3 0 524288 " ] }, "execution_count": 72, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "df = %grr_ls\n", "df" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "huZeYWI0Dy4J" }, "source": [ "Stat mode has two representations: number and UNIX-style:" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": {}, "colab_type": "code", "id": "G7PqZ41qDy4K", "outputId": "4ac4b6db-8603-4b2a-91e4-5db206747d06" }, "outputs": [ { "data": { "text/html": [ "\u003cdiv\u003e\n", "\u003cstyle scoped\u003e\n", " .dataframe tbody tr th:only-of-type {\n", " vertical-align: middle;\n", " }\n", "\n", " .dataframe tbody tr th {\n", " vertical-align: top;\n", " }\n", "\n", " .dataframe thead th {\n", " text-align: right;\n", " }\n", "\u003c/style\u003e\n", "\u003ctable border=\"1\" class=\"dataframe\"\u003e\n", " \u003cthead\u003e\n", " \u003ctr style=\"text-align: right;\"\u003e\n", " \u003cth\u003e\u003c/th\u003e\n", " \u003cth\u003est_mode\u003c/th\u003e\n", " \u003cth\u003est_mode.pretty\u003c/th\u003e\n", " \u003c/tr\u003e\n", " \u003c/thead\u003e\n", " \u003ctbody\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e0\u003c/th\u003e\n", " \u003ctd\u003e16877\u003c/td\u003e\n", " \u003ctd\u003edrwxr-xr-x\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e1\u003c/th\u003e\n", " \u003ctd\u003e16877\u003c/td\u003e\n", " \u003ctd\u003edrwxr-xr-x\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e2\u003c/th\u003e\n", " \u003ctd\u003e33188\u003c/td\u003e\n", " \u003ctd\u003e-rw-r--r--\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e3\u003c/th\u003e\n", " \u003ctd\u003e33188\u003c/td\u003e\n", " \u003ctd\u003e-rw-r--r--\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003c/tbody\u003e\n", "\u003c/table\u003e\n", "\u003c/div\u003e" ], "text/plain": [ " st_mode st_mode.pretty\n", "0 16877 drwxr-xr-x\n", "1 16877 drwxr-xr-x\n", "2 33188 -rw-r--r--\n", "3 33188 -rw-r--r--" ] }, "execution_count": 73, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "df[['st_mode', 'st_mode.pretty']]" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 100 }, "colab_type": "code", "executionInfo": { "elapsed": 16403, "status": "ok", "timestamp": 1563351646920, "user_tz": -120 }, "id": "mrTFxIkgKPko", "outputId": "c671132a-677d-499e-fcc7-ffd65c4bfb22" }, "outputs": [ { "data": { "text/html": [ "\u003cdiv\u003e\n", "\u003cstyle scoped\u003e\n", " .dataframe tbody tr th:only-of-type {\n", " vertical-align: middle;\n", " }\n", "\n", " .dataframe tbody tr th {\n", " vertical-align: top;\n", " }\n", "\n", " .dataframe thead th {\n", " text-align: right;\n", " }\n", "\u003c/style\u003e\n", "\u003ctable border=\"1\" class=\"dataframe\"\u003e\n", " \u003cthead\u003e\n", " \u003ctr style=\"text-align: right;\"\u003e\n", " \u003cth\u003e\u003c/th\u003e\n", " \u003cth\u003est_mode\u003c/th\u003e\n", " \u003cth\u003est_mode.pretty\u003c/th\u003e\n", " \u003cth\u003est_ino\u003c/th\u003e\n", " \u003cth\u003est_dev\u003c/th\u003e\n", " \u003cth\u003est_nlink\u003c/th\u003e\n", " \u003cth\u003est_uid\u003c/th\u003e\n", " \u003cth\u003est_gid\u003c/th\u003e\n", " \u003cth\u003est_size\u003c/th\u003e\n", " \u003cth\u003est_atime\u003c/th\u003e\n", " \u003cth\u003est_mtime\u003c/th\u003e\n", " \u003cth\u003est_ctime\u003c/th\u003e\n", " \u003cth\u003est_blocks\u003c/th\u003e\n", " \u003cth\u003est_blksize\u003c/th\u003e\n", " \u003cth\u003est_rdev\u003c/th\u003e\n", " \u003cth\u003epathspec.pathtype\u003c/th\u003e\n", " \u003cth\u003epathspec.path\u003c/th\u003e\n", " \u003cth\u003epathspec.path_options\u003c/th\u003e\n", " \u003cth\u003est_flags_osx\u003c/th\u003e\n", " \u003cth\u003est_flags_linux\u003c/th\u003e\n", " \u003c/tr\u003e\n", " \u003c/thead\u003e\n", " \u003ctbody\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e0\u003c/th\u003e\n", " \u003ctd\u003e16877\u003c/td\u003e\n", " \u003ctd\u003edrwxr-xr-x\u003c/td\u003e\n", " \u003ctd\u003e17835392\u003c/td\u003e\n", " \u003ctd\u003e65025\u003c/td\u003e\n", " \u003ctd\u003e2\u003c/td\u003e\n", " \u003ctd\u003e585945\u003c/td\u003e\n", " \u003ctd\u003e89939\u003c/td\u003e\n", " \u003ctd\u003e4096\u003c/td\u003e\n", " \u003ctd\u003e1567157599\u003c/td\u003e\n", " \u003ctd\u003e1567157599\u003c/td\u003e\n", " \u003ctd\u003e1567157599\u003c/td\u003e\n", " \u003ctd\u003e8\u003c/td\u003e\n", " \u003ctd\u003e4096\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003eOS\u003c/td\u003e\n", " \u003ctd\u003e/tmp/foo/baz/dir2/dir3\u003c/td\u003e\n", " \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003e524288\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003c/tbody\u003e\n", "\u003c/table\u003e\n", "\u003c/div\u003e" ], "text/plain": [ " st_mode st_mode.pretty st_ino st_dev st_nlink st_uid st_gid \\\n", "0 16877 drwxr-xr-x 17835392 65025 2 585945 89939 \n", "\n", " st_size st_atime st_mtime st_ctime st_blocks st_blksize \\\n", "0 4096 1567157599 1567157599 1567157599 8 4096 \n", "\n", " st_rdev pathspec.pathtype pathspec.path pathspec.path_options \\\n", "0 0 OS /tmp/foo/baz/dir2/dir3 CASE_LITERAL \n", "\n", " st_flags_osx st_flags_linux \n", "0 0 524288 " ] }, "execution_count": 74, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "%grr_ls ../baz/dir2" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 100 }, "colab_type": "code", "executionInfo": { "elapsed": 16313, "status": "ok", "timestamp": 1563351663305, "user_tz": -120 }, "id": "JSiXH5irKU8A", "outputId": "9327a3cd-fc70-4a5f-afb7-e6ea064eede4" }, "outputs": [ { "data": { "text/html": [ "\u003cdiv\u003e\n", "\u003cstyle scoped\u003e\n", " .dataframe tbody tr th:only-of-type {\n", " vertical-align: middle;\n", " }\n", "\n", " .dataframe tbody tr th {\n", " vertical-align: top;\n", " }\n", "\n", " .dataframe thead th {\n", " text-align: right;\n", " }\n", "\u003c/style\u003e\n", "\u003ctable border=\"1\" class=\"dataframe\"\u003e\n", " \u003cthead\u003e\n", " \u003ctr style=\"text-align: right;\"\u003e\n", " \u003cth\u003e\u003c/th\u003e\n", " \u003cth\u003est_mode\u003c/th\u003e\n", " \u003cth\u003est_mode.pretty\u003c/th\u003e\n", " \u003cth\u003est_ino\u003c/th\u003e\n", " \u003cth\u003est_dev\u003c/th\u003e\n", " \u003cth\u003est_nlink\u003c/th\u003e\n", " \u003cth\u003est_uid\u003c/th\u003e\n", " \u003cth\u003est_gid\u003c/th\u003e\n", " \u003cth\u003est_size\u003c/th\u003e\n", " \u003cth\u003est_atime\u003c/th\u003e\n", " \u003cth\u003est_mtime\u003c/th\u003e\n", " \u003cth\u003est_ctime\u003c/th\u003e\n", " \u003cth\u003est_blocks\u003c/th\u003e\n", " \u003cth\u003est_blksize\u003c/th\u003e\n", " \u003cth\u003est_rdev\u003c/th\u003e\n", " \u003cth\u003epathspec.pathtype\u003c/th\u003e\n", " \u003cth\u003epathspec.path\u003c/th\u003e\n", " \u003cth\u003epathspec.path_options\u003c/th\u003e\n", " \u003cth\u003est_flags_osx\u003c/th\u003e\n", " \u003cth\u003est_flags_linux\u003c/th\u003e\n", " \u003c/tr\u003e\n", " \u003c/thead\u003e\n", " \u003ctbody\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e0\u003c/th\u003e\n", " \u003ctd\u003e16877\u003c/td\u003e\n", " \u003ctd\u003edrwxr-xr-x\u003c/td\u003e\n", " \u003ctd\u003e17567410\u003c/td\u003e\n", " \u003ctd\u003e65025\u003c/td\u003e\n", " \u003ctd\u003e2\u003c/td\u003e\n", " \u003ctd\u003e585945\u003c/td\u003e\n", " \u003ctd\u003e89939\u003c/td\u003e\n", " \u003ctd\u003e4096\u003c/td\u003e\n", " \u003ctd\u003e1567157544\u003c/td\u003e\n", " \u003ctd\u003e1567157544\u003c/td\u003e\n", " \u003ctd\u003e1567157544\u003c/td\u003e\n", " \u003ctd\u003e8\u003c/td\u003e\n", " \u003ctd\u003e4096\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003eOS\u003c/td\u003e\n", " \u003ctd\u003e/tmp/foo/bar\u003c/td\u003e\n", " \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003e524288\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e1\u003c/th\u003e\n", " \u003ctd\u003e16877\u003c/td\u003e\n", " \u003ctd\u003edrwxr-xr-x\u003c/td\u003e\n", " \u003ctd\u003e17695802\u003c/td\u003e\n", " \u003ctd\u003e65025\u003c/td\u003e\n", " \u003ctd\u003e4\u003c/td\u003e\n", " \u003ctd\u003e585945\u003c/td\u003e\n", " \u003ctd\u003e89939\u003c/td\u003e\n", " \u003ctd\u003e4096\u003c/td\u003e\n", " \u003ctd\u003e1567157664\u003c/td\u003e\n", " \u003ctd\u003e1567157631\u003c/td\u003e\n", " \u003ctd\u003e1567157631\u003c/td\u003e\n", " \u003ctd\u003e8\u003c/td\u003e\n", " \u003ctd\u003e4096\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003eOS\u003c/td\u003e\n", " \u003ctd\u003e/tmp/foo/baz\u003c/td\u003e\n", " \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003e524288\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003c/tbody\u003e\n", "\u003c/table\u003e\n", "\u003c/div\u003e" ], "text/plain": [ " st_mode st_mode.pretty st_ino st_dev st_nlink st_uid st_gid \\\n", "0 16877 drwxr-xr-x 17567410 65025 2 585945 89939 \n", "1 16877 drwxr-xr-x 17695802 65025 4 585945 89939 \n", "\n", " st_size st_atime st_mtime st_ctime st_blocks st_blksize \\\n", "0 4096 1567157544 1567157544 1567157544 8 4096 \n", "1 4096 1567157664 1567157631 1567157631 8 4096 \n", "\n", " st_rdev pathspec.pathtype pathspec.path pathspec.path_options \\\n", "0 0 OS /tmp/foo/bar CASE_LITERAL \n", "1 0 OS /tmp/foo/baz CASE_LITERAL \n", "\n", " st_flags_osx st_flags_linux \n", "0 0 524288 \n", "1 0 524288 " ] }, "execution_count": 75, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "%grr_ls /tmp/foo" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "q_DhU34QK_89" }, "source": [ "To see some metadata of a file you can just call `grr_stat` function." ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 100 }, "colab_type": "code", "executionInfo": { "elapsed": 16828, "status": "ok", "timestamp": 1563351680228, "user_tz": -120 }, "id": "nsdAPE3zMkmR", "outputId": "17d9b85f-4af7-4334-f006-844e8c3f4535" }, "outputs": [ { "data": { "text/html": [ "\u003cdiv\u003e\n", "\u003cstyle scoped\u003e\n", " .dataframe tbody tr th:only-of-type {\n", " vertical-align: middle;\n", " }\n", "\n", " .dataframe tbody tr th {\n", " vertical-align: top;\n", " }\n", "\n", " .dataframe thead th {\n", " text-align: right;\n", " }\n", "\u003c/style\u003e\n", "\u003ctable border=\"1\" class=\"dataframe\"\u003e\n", " \u003cthead\u003e\n", " \u003ctr style=\"text-align: right;\"\u003e\n", " \u003cth\u003e\u003c/th\u003e\n", " \u003cth\u003est_mode\u003c/th\u003e\n", " \u003cth\u003est_mode.pretty\u003c/th\u003e\n", " \u003cth\u003est_ino\u003c/th\u003e\n", " \u003cth\u003est_dev\u003c/th\u003e\n", " \u003cth\u003est_nlink\u003c/th\u003e\n", " \u003cth\u003est_uid\u003c/th\u003e\n", " \u003cth\u003est_gid\u003c/th\u003e\n", " \u003cth\u003est_size\u003c/th\u003e\n", " \u003cth\u003est_atime\u003c/th\u003e\n", " \u003cth\u003est_mtime\u003c/th\u003e\n", " \u003cth\u003est_ctime\u003c/th\u003e\n", " \u003cth\u003est_blocks\u003c/th\u003e\n", " \u003cth\u003est_blksize\u003c/th\u003e\n", " \u003cth\u003est_rdev\u003c/th\u003e\n", " \u003cth\u003epathspec.pathtype\u003c/th\u003e\n", " \u003cth\u003epathspec.path\u003c/th\u003e\n", " \u003cth\u003epathspec.path_options\u003c/th\u003e\n", " \u003cth\u003est_flags_osx\u003c/th\u003e\n", " \u003cth\u003est_flags_linux\u003c/th\u003e\n", " \u003c/tr\u003e\n", " \u003c/thead\u003e\n", " \u003ctbody\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e0\u003c/th\u003e\n", " \u003ctd\u003e33188\u003c/td\u003e\n", " \u003ctd\u003e-rw-r--r--\u003c/td\u003e\n", " \u003ctd\u003e17696534\u003c/td\u003e\n", " \u003ctd\u003e65025\u003c/td\u003e\n", " \u003ctd\u003e1\u003c/td\u003e\n", " \u003ctd\u003e585945\u003c/td\u003e\n", " \u003ctd\u003e89939\u003c/td\u003e\n", " \u003ctd\u003e70\u003c/td\u003e\n", " \u003ctd\u003e1567158029\u003c/td\u003e\n", " \u003ctd\u003e1567157649\u003c/td\u003e\n", " \u003ctd\u003e1567157649\u003c/td\u003e\n", " \u003ctd\u003e8\u003c/td\u003e\n", " \u003ctd\u003e4096\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003eOS\u003c/td\u003e\n", " \u003ctd\u003e/tmp/foo/baz/file1\u003c/td\u003e\n", " \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003e524288\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003c/tbody\u003e\n", "\u003c/table\u003e\n", "\u003c/div\u003e" ], "text/plain": [ " st_mode st_mode.pretty st_ino st_dev st_nlink st_uid st_gid \\\n", "0 33188 -rw-r--r-- 17696534 65025 1 585945 89939 \n", "\n", " st_size st_atime st_mtime st_ctime st_blocks st_blksize \\\n", "0 70 1567158029 1567157649 1567157649 8 4096 \n", "\n", " st_rdev pathspec.pathtype pathspec.path pathspec.path_options \\\n", "0 0 OS /tmp/foo/baz/file1 CASE_LITERAL \n", "\n", " st_flags_osx st_flags_linux \n", "0 0 524288 " ] }, "execution_count": 76, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "%grr_stat file1" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "XXdPcVEgB--K" }, "source": [ "You can use globbing for stat:" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 131 }, "colab_type": "code", "executionInfo": { "elapsed": 16416, "status": "ok", "timestamp": 1563351835244, "user_tz": -120 }, "id": "BfMe8FgaB2VB", "outputId": "0e439540-3c3d-4e29-928e-81b1674b1ee6" }, "outputs": [ { "data": { "text/html": [ "\u003cdiv\u003e\n", "\u003cstyle scoped\u003e\n", " .dataframe tbody tr th:only-of-type {\n", " vertical-align: middle;\n", " }\n", "\n", " .dataframe tbody tr th {\n", " vertical-align: top;\n", " }\n", "\n", " .dataframe thead th {\n", " text-align: right;\n", " }\n", "\u003c/style\u003e\n", "\u003ctable border=\"1\" class=\"dataframe\"\u003e\n", " \u003cthead\u003e\n", " \u003ctr style=\"text-align: right;\"\u003e\n", " \u003cth\u003e\u003c/th\u003e\n", " \u003cth\u003est_mode\u003c/th\u003e\n", " \u003cth\u003est_mode.pretty\u003c/th\u003e\n", " \u003cth\u003est_ino\u003c/th\u003e\n", " \u003cth\u003est_dev\u003c/th\u003e\n", " \u003cth\u003est_nlink\u003c/th\u003e\n", " \u003cth\u003est_uid\u003c/th\u003e\n", " \u003cth\u003est_gid\u003c/th\u003e\n", " \u003cth\u003est_size\u003c/th\u003e\n", " \u003cth\u003est_atime\u003c/th\u003e\n", " \u003cth\u003est_mtime\u003c/th\u003e\n", " \u003cth\u003est_ctime\u003c/th\u003e\n", " \u003cth\u003est_blocks\u003c/th\u003e\n", " \u003cth\u003est_blksize\u003c/th\u003e\n", " \u003cth\u003est_rdev\u003c/th\u003e\n", " \u003cth\u003epathspec.pathtype\u003c/th\u003e\n", " \u003cth\u003epathspec.path\u003c/th\u003e\n", " \u003cth\u003epathspec.path_options\u003c/th\u003e\n", " \u003cth\u003est_flags_osx\u003c/th\u003e\n", " \u003cth\u003est_flags_linux\u003c/th\u003e\n", " \u003c/tr\u003e\n", " \u003c/thead\u003e\n", " \u003ctbody\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e0\u003c/th\u003e\n", " \u003ctd\u003e33188\u003c/td\u003e\n", " \u003ctd\u003e-rw-r--r--\u003c/td\u003e\n", " \u003ctd\u003e17696534\u003c/td\u003e\n", " \u003ctd\u003e65025\u003c/td\u003e\n", " \u003ctd\u003e1\u003c/td\u003e\n", " \u003ctd\u003e585945\u003c/td\u003e\n", " \u003ctd\u003e89939\u003c/td\u003e\n", " \u003ctd\u003e70\u003c/td\u003e\n", " \u003ctd\u003e1567158029\u003c/td\u003e\n", " \u003ctd\u003e1567157649\u003c/td\u003e\n", " \u003ctd\u003e1567157649\u003c/td\u003e\n", " \u003ctd\u003e8\u003c/td\u003e\n", " \u003ctd\u003e4096\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003eOS\u003c/td\u003e\n", " \u003ctd\u003e/tmp/foo/baz/file1\u003c/td\u003e\n", " \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003e524288\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e1\u003c/th\u003e\n", " \u003ctd\u003e33188\u003c/td\u003e\n", " \u003ctd\u003e-rw-r--r--\u003c/td\u003e\n", " \u003ctd\u003e17696533\u003c/td\u003e\n", " \u003ctd\u003e65025\u003c/td\u003e\n", " \u003ctd\u003e1\u003c/td\u003e\n", " \u003ctd\u003e585945\u003c/td\u003e\n", " \u003ctd\u003e89939\u003c/td\u003e\n", " \u003ctd\u003e23\u003c/td\u003e\n", " \u003ctd\u003e1567158209\u003c/td\u003e\n", " \u003ctd\u003e1567157627\u003c/td\u003e\n", " \u003ctd\u003e1567157627\u003c/td\u003e\n", " \u003ctd\u003e8\u003c/td\u003e\n", " \u003ctd\u003e4096\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003eOS\u003c/td\u003e\n", " \u003ctd\u003e/tmp/foo/baz/file2\u003c/td\u003e\n", " \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003e524288\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003c/tbody\u003e\n", "\u003c/table\u003e\n", "\u003c/div\u003e" ], "text/plain": [ " st_mode st_mode.pretty st_ino st_dev st_nlink st_uid st_gid \\\n", "0 33188 -rw-r--r-- 17696534 65025 1 585945 89939 \n", "1 33188 -rw-r--r-- 17696533 65025 1 585945 89939 \n", "\n", " st_size st_atime st_mtime st_ctime st_blocks st_blksize \\\n", "0 70 1567158029 1567157649 1567157649 8 4096 \n", "1 23 1567158209 1567157627 1567157627 8 4096 \n", "\n", " st_rdev pathspec.pathtype pathspec.path pathspec.path_options \\\n", "0 0 OS /tmp/foo/baz/file1 CASE_LITERAL \n", "1 0 OS /tmp/foo/baz/file2 CASE_LITERAL \n", "\n", " st_flags_osx st_flags_linux \n", "0 0 524288 \n", "1 0 524288 " ] }, "execution_count": 77, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "%grr_stat \"file*\"" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "NP6vR78cNUEX" }, "source": [ "You can print the first bytes of a file:" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 34 }, "colab_type": "code", "executionInfo": { "elapsed": 16919, "status": "ok", "timestamp": 1563351697201, "user_tz": -120 }, "id": "MK4H3nVnOW7e", "outputId": "162a0809-e802-47de-96c4-d1877196a666" }, "outputs": [ { "data": { "text/plain": [ "b'This is the first line\\nThis is'" ] }, "execution_count": 78, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "%grr_head file1 -c 30" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "6KBacz1eQh7e" }, "source": [ "Alghough there is no offset in original bash `head` command you can specify offset in `grr_head`:" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 34 }, "colab_type": "code", "executionInfo": { "elapsed": 1046, "status": "ok", "timestamp": 1564580377770, "user_tz": -120 }, "id": "1RVp8RGjl-eF", "outputId": "1ab6d896-f734-448f-cdbc-63243a31274f" }, "outputs": [ { "data": { "text/plain": [ "b'ne\\nThis is the second line\\nThi'" ] }, "execution_count": 79, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "%grr_head file1 -c 30 -o 20" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "4eUiJKrGOptM" }, "source": [ "Some of the functions like `grr_head` and `grr_ls` have `--cached` (`-C` for short) option which indicates that no calls to the client should be performed. In this case the data will be fetched from the cached data on the server. Server cached data is updated only during calls to the client so it is not always up-to-date but accessing it is way faster." ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 193 }, "colab_type": "code", "executionInfo": { "elapsed": 591, "status": "ok", "timestamp": 1563351697868, "user_tz": -120 }, "id": "JuPSGH57PSEh", "outputId": "7f235a49-9a75-4d34-8915-fec3fe083ee9" }, "outputs": [ { "data": { "text/html": [ "\u003cdiv\u003e\n", "\u003cstyle scoped\u003e\n", " .dataframe tbody tr th:only-of-type {\n", " vertical-align: middle;\n", " }\n", "\n", " .dataframe tbody tr th {\n", " vertical-align: top;\n", " }\n", "\n", " .dataframe thead th {\n", " text-align: right;\n", " }\n", "\u003c/style\u003e\n", "\u003ctable border=\"1\" class=\"dataframe\"\u003e\n", " \u003cthead\u003e\n", " \u003ctr style=\"text-align: right;\"\u003e\n", " \u003cth\u003e\u003c/th\u003e\n", " \u003cth\u003est_mode\u003c/th\u003e\n", " \u003cth\u003est_mode.pretty\u003c/th\u003e\n", " \u003cth\u003est_ino\u003c/th\u003e\n", " \u003cth\u003est_dev\u003c/th\u003e\n", " \u003cth\u003est_nlink\u003c/th\u003e\n", " \u003cth\u003est_uid\u003c/th\u003e\n", " \u003cth\u003est_gid\u003c/th\u003e\n", " \u003cth\u003est_size\u003c/th\u003e\n", " \u003cth\u003est_atime\u003c/th\u003e\n", " \u003cth\u003est_mtime\u003c/th\u003e\n", " \u003cth\u003est_ctime\u003c/th\u003e\n", " \u003cth\u003est_blocks\u003c/th\u003e\n", " \u003cth\u003est_blksize\u003c/th\u003e\n", " \u003cth\u003est_rdev\u003c/th\u003e\n", " \u003cth\u003epathspec.pathtype\u003c/th\u003e\n", " \u003cth\u003epathspec.path\u003c/th\u003e\n", " \u003cth\u003epathspec.path_options\u003c/th\u003e\n", " \u003cth\u003est_flags_osx\u003c/th\u003e\n", " \u003cth\u003est_flags_linux\u003c/th\u003e\n", " \u003c/tr\u003e\n", " \u003c/thead\u003e\n", " \u003ctbody\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e0\u003c/th\u003e\n", " \u003ctd\u003e16877\u003c/td\u003e\n", " \u003ctd\u003edrwxr-xr-x\u003c/td\u003e\n", " \u003ctd\u003e17696532\u003c/td\u003e\n", " \u003ctd\u003e65025\u003c/td\u003e\n", " \u003ctd\u003e2\u003c/td\u003e\n", " \u003ctd\u003e585945\u003c/td\u003e\n", " \u003ctd\u003e89939\u003c/td\u003e\n", " \u003ctd\u003e4096\u003c/td\u003e\n", " \u003ctd\u003e1567157599\u003c/td\u003e\n", " \u003ctd\u003e1567157599\u003c/td\u003e\n", " \u003ctd\u003e1567157599\u003c/td\u003e\n", " \u003ctd\u003e8\u003c/td\u003e\n", " \u003ctd\u003e4096\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003eOS\u003c/td\u003e\n", " \u003ctd\u003e/tmp/foo/baz/dir1\u003c/td\u003e\n", " \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003e524288\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e1\u003c/th\u003e\n", " \u003ctd\u003e16877\u003c/td\u003e\n", " \u003ctd\u003edrwxr-xr-x\u003c/td\u003e\n", " \u003ctd\u003e17832583\u003c/td\u003e\n", " \u003ctd\u003e65025\u003c/td\u003e\n", " \u003ctd\u003e3\u003c/td\u003e\n", " \u003ctd\u003e585945\u003c/td\u003e\n", " \u003ctd\u003e89939\u003c/td\u003e\n", " \u003ctd\u003e4096\u003c/td\u003e\n", " \u003ctd\u003e1567157734\u003c/td\u003e\n", " \u003ctd\u003e1567157599\u003c/td\u003e\n", " \u003ctd\u003e1567157599\u003c/td\u003e\n", " \u003ctd\u003e8\u003c/td\u003e\n", " \u003ctd\u003e4096\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003eOS\u003c/td\u003e\n", " \u003ctd\u003e/tmp/foo/baz/dir2\u003c/td\u003e\n", " \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003e524288\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e2\u003c/th\u003e\n", " \u003ctd\u003e33188\u003c/td\u003e\n", " \u003ctd\u003e-rw-r--r--\u003c/td\u003e\n", " \u003ctd\u003e17696534\u003c/td\u003e\n", " \u003ctd\u003e65025\u003c/td\u003e\n", " \u003ctd\u003e1\u003c/td\u003e\n", " \u003ctd\u003e585945\u003c/td\u003e\n", " \u003ctd\u003e89939\u003c/td\u003e\n", " \u003ctd\u003e70\u003c/td\u003e\n", " \u003ctd\u003e1567158029\u003c/td\u003e\n", " \u003ctd\u003e1567157649\u003c/td\u003e\n", " \u003ctd\u003e1567157649\u003c/td\u003e\n", " \u003ctd\u003e8\u003c/td\u003e\n", " \u003ctd\u003e4096\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003eOS\u003c/td\u003e\n", " \u003ctd\u003e/tmp/foo/baz/file1\u003c/td\u003e\n", " \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003e524288\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e3\u003c/th\u003e\n", " \u003ctd\u003e33188\u003c/td\u003e\n", " \u003ctd\u003e-rw-r--r--\u003c/td\u003e\n", " \u003ctd\u003e17696533\u003c/td\u003e\n", " \u003ctd\u003e65025\u003c/td\u003e\n", " \u003ctd\u003e1\u003c/td\u003e\n", " \u003ctd\u003e585945\u003c/td\u003e\n", " \u003ctd\u003e89939\u003c/td\u003e\n", " \u003ctd\u003e23\u003c/td\u003e\n", " \u003ctd\u003e1567158209\u003c/td\u003e\n", " \u003ctd\u003e1567157627\u003c/td\u003e\n", " \u003ctd\u003e1567157627\u003c/td\u003e\n", " \u003ctd\u003e8\u003c/td\u003e\n", " \u003ctd\u003e4096\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003eOS\u003c/td\u003e\n", " \u003ctd\u003e/tmp/foo/baz/file2\u003c/td\u003e\n", " \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003e524288\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003c/tbody\u003e\n", "\u003c/table\u003e\n", "\u003c/div\u003e" ], "text/plain": [ " st_mode st_mode.pretty st_ino st_dev st_nlink st_uid st_gid \\\n", "0 16877 drwxr-xr-x 17696532 65025 2 585945 89939 \n", "1 16877 drwxr-xr-x 17832583 65025 3 585945 89939 \n", "2 33188 -rw-r--r-- 17696534 65025 1 585945 89939 \n", "3 33188 -rw-r--r-- 17696533 65025 1 585945 89939 \n", "\n", " st_size st_atime st_mtime st_ctime st_blocks st_blksize \\\n", "0 4096 1567157599 1567157599 1567157599 8 4096 \n", "1 4096 1567157734 1567157599 1567157599 8 4096 \n", "2 70 1567158029 1567157649 1567157649 8 4096 \n", "3 23 1567158209 1567157627 1567157627 8 4096 \n", "\n", " st_rdev pathspec.pathtype pathspec.path pathspec.path_options \\\n", "0 0 OS /tmp/foo/baz/dir1 CASE_LITERAL \n", "1 0 OS /tmp/foo/baz/dir2 CASE_LITERAL \n", "2 0 OS /tmp/foo/baz/file1 CASE_LITERAL \n", "3 0 OS /tmp/foo/baz/file2 CASE_LITERAL \n", "\n", " st_flags_osx st_flags_linux \n", "0 0 524288 \n", "1 0 524288 \n", "2 0 524288 \n", "3 0 524288 " ] }, "execution_count": 80, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "%grr_ls /tmp/foo/baz -C" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 34 }, "colab_type": "code", "executionInfo": { "elapsed": 425, "status": "ok", "timestamp": 1563351698353, "user_tz": -120 }, "id": "pltMJ7s0PXpr", "outputId": "0c71a0fd-bcc5-4692-9c3e-3a92f45cb60c" }, "outputs": [ { "data": { "text/plain": [ "b'This is the first line\\nThis is the second line\\nThis is the third LINE\\n'" ] }, "execution_count": 81, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "%grr_head file1 -C" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "OggOgs4jQxVL" }, "source": [ "Grepping files is also possible. `--fixed-string` (`-F` for short) option indicates that pattern to search for is not a regular expression. `--hex-string` (`-X` for short) option allows to pass hex strings as a pattern." ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 142 }, "colab_type": "code", "executionInfo": { "elapsed": 16331, "status": "ok", "timestamp": 1563351714751, "user_tz": -120 }, "id": "lkKwsfMiRJau", "outputId": "bab97cb0-83d8-4f67-d594-185962e868ce" }, "outputs": [ { "data": { "text/html": [ "\u003cdiv\u003e\n", "\u003cstyle scoped\u003e\n", " .dataframe tbody tr th:only-of-type {\n", " vertical-align: middle;\n", " }\n", "\n", " .dataframe tbody tr th {\n", " vertical-align: top;\n", " }\n", "\n", " .dataframe thead th {\n", " text-align: right;\n", " }\n", "\u003c/style\u003e\n", "\u003ctable border=\"1\" class=\"dataframe\"\u003e\n", " \u003cthead\u003e\n", " \u003ctr style=\"text-align: right;\"\u003e\n", " \u003cth\u003e\u003c/th\u003e\n", " \u003cth\u003eoffset\u003c/th\u003e\n", " \u003cth\u003elength\u003c/th\u003e\n", " \u003cth\u003edata\u003c/th\u003e\n", " \u003cth\u003edata.pretty\u003c/th\u003e\n", " \u003cth\u003epathspec.pathtype\u003c/th\u003e\n", " \u003cth\u003epathspec.path\u003c/th\u003e\n", " \u003cth\u003epathspec.path_options\u003c/th\u003e\n", " \u003c/tr\u003e\n", " \u003c/thead\u003e\n", " \u003ctbody\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e0\u003c/th\u003e\n", " \u003ctd\u003e18\u003c/td\u003e\n", " \u003ctd\u003e4\u003c/td\u003e\n", " \u003ctd\u003eb'line'\u003c/td\u003e\n", " \u003ctd\u003eb'line'\u003c/td\u003e\n", " \u003ctd\u003eOS\u003c/td\u003e\n", " \u003ctd\u003e/tmp/foo/baz/file1\u003c/td\u003e\n", " \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e1\u003c/th\u003e\n", " \u003ctd\u003e42\u003c/td\u003e\n", " \u003ctd\u003e4\u003c/td\u003e\n", " \u003ctd\u003eb'line'\u003c/td\u003e\n", " \u003ctd\u003eb'line'\u003c/td\u003e\n", " \u003ctd\u003eOS\u003c/td\u003e\n", " \u003ctd\u003e/tmp/foo/baz/file1\u003c/td\u003e\n", " \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e2\u003c/th\u003e\n", " \u003ctd\u003e65\u003c/td\u003e\n", " \u003ctd\u003e4\u003c/td\u003e\n", " \u003ctd\u003eb'LINE'\u003c/td\u003e\n", " \u003ctd\u003eb'LINE'\u003c/td\u003e\n", " \u003ctd\u003eOS\u003c/td\u003e\n", " \u003ctd\u003e/tmp/foo/baz/file1\u003c/td\u003e\n", " \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003c/tbody\u003e\n", "\u003c/table\u003e\n", "\u003c/div\u003e" ], "text/plain": [ " offset length data data.pretty pathspec.pathtype pathspec.path \\\n", "0 18 4 b'line' b'line' OS /tmp/foo/baz/file1 \n", "1 42 4 b'line' b'line' OS /tmp/foo/baz/file1 \n", "2 65 4 b'LINE' b'LINE' OS /tmp/foo/baz/file1 \n", "\n", " pathspec.path_options \n", "0 CASE_LITERAL \n", "1 CASE_LITERAL \n", "2 CASE_LITERAL " ] }, "execution_count": 82, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "%grr_grep \"line\" file1" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 111 }, "colab_type": "code", "executionInfo": { "elapsed": 16618, "status": "ok", "timestamp": 1563351731436, "user_tz": -120 }, "id": "My9QheBUBYJD", "outputId": "fe4170a1-6172-4b8f-d45e-1a29d4e55d25" }, "outputs": [ { "data": { "text/html": [ "\u003cdiv\u003e\n", "\u003cstyle scoped\u003e\n", " .dataframe tbody tr th:only-of-type {\n", " vertical-align: middle;\n", " }\n", "\n", " .dataframe tbody tr th {\n", " vertical-align: top;\n", " }\n", "\n", " .dataframe thead th {\n", " text-align: right;\n", " }\n", "\u003c/style\u003e\n", "\u003ctable border=\"1\" class=\"dataframe\"\u003e\n", " \u003cthead\u003e\n", " \u003ctr style=\"text-align: right;\"\u003e\n", " \u003cth\u003e\u003c/th\u003e\n", " \u003cth\u003eoffset\u003c/th\u003e\n", " \u003cth\u003elength\u003c/th\u003e\n", " \u003cth\u003edata\u003c/th\u003e\n", " \u003cth\u003edata.pretty\u003c/th\u003e\n", " \u003cth\u003epathspec.pathtype\u003c/th\u003e\n", " \u003cth\u003epathspec.path\u003c/th\u003e\n", " \u003cth\u003epathspec.path_options\u003c/th\u003e\n", " \u003c/tr\u003e\n", " \u003c/thead\u003e\n", " \u003ctbody\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e0\u003c/th\u003e\n", " \u003ctd\u003e18\u003c/td\u003e\n", " \u003ctd\u003e4\u003c/td\u003e\n", " \u003ctd\u003eb'line'\u003c/td\u003e\n", " \u003ctd\u003eb'line'\u003c/td\u003e\n", " \u003ctd\u003eOS\u003c/td\u003e\n", " \u003ctd\u003e/tmp/foo/baz/file1\u003c/td\u003e\n", " \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e1\u003c/th\u003e\n", " \u003ctd\u003e42\u003c/td\u003e\n", " \u003ctd\u003e4\u003c/td\u003e\n", " \u003ctd\u003eb'line'\u003c/td\u003e\n", " \u003ctd\u003eb'line'\u003c/td\u003e\n", " \u003ctd\u003eOS\u003c/td\u003e\n", " \u003ctd\u003e/tmp/foo/baz/file1\u003c/td\u003e\n", " \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003c/tbody\u003e\n", "\u003c/table\u003e\n", "\u003c/div\u003e" ], "text/plain": [ " offset length data data.pretty pathspec.pathtype pathspec.path \\\n", "0 18 4 b'line' b'line' OS /tmp/foo/baz/file1 \n", "1 42 4 b'line' b'line' OS /tmp/foo/baz/file1 \n", "\n", " pathspec.path_options \n", "0 CASE_LITERAL \n", "1 CASE_LITERAL " ] }, "execution_count": 83, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "%grr_grep -F \"line\" file1" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": {}, "colab_type": "code", "id": "0x0y4Bt398ar", "outputId": "6009bdd3-fbe1-4330-9747-e4654f1c17eb" }, "outputs": [ { "data": { "text/html": [ "\u003cdiv\u003e\n", "\u003cstyle scoped\u003e\n", " .dataframe tbody tr th:only-of-type {\n", " vertical-align: middle;\n", " }\n", "\n", " .dataframe tbody tr th {\n", " vertical-align: top;\n", " }\n", "\n", " .dataframe thead th {\n", " text-align: right;\n", " }\n", "\u003c/style\u003e\n", "\u003ctable border=\"1\" class=\"dataframe\"\u003e\n", " \u003cthead\u003e\n", " \u003ctr style=\"text-align: right;\"\u003e\n", " \u003cth\u003e\u003c/th\u003e\n", " \u003cth\u003eoffset\u003c/th\u003e\n", " \u003cth\u003elength\u003c/th\u003e\n", " \u003cth\u003edata\u003c/th\u003e\n", " \u003cth\u003edata.pretty\u003c/th\u003e\n", " \u003cth\u003epathspec.pathtype\u003c/th\u003e\n", " \u003cth\u003epathspec.path\u003c/th\u003e\n", " \u003cth\u003epathspec.path_options\u003c/th\u003e\n", " \u003c/tr\u003e\n", " \u003c/thead\u003e\n", " \u003ctbody\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e0\u003c/th\u003e\n", " \u003ctd\u003e18\u003c/td\u003e\n", " \u003ctd\u003e4\u003c/td\u003e\n", " \u003ctd\u003eb'line'\u003c/td\u003e\n", " \u003ctd\u003eb'line'\u003c/td\u003e\n", " \u003ctd\u003eOS\u003c/td\u003e\n", " \u003ctd\u003e/tmp/foo/baz/file1\u003c/td\u003e\n", " \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e1\u003c/th\u003e\n", " \u003ctd\u003e42\u003c/td\u003e\n", " \u003ctd\u003e4\u003c/td\u003e\n", " \u003ctd\u003eb'line'\u003c/td\u003e\n", " \u003ctd\u003eb'line'\u003c/td\u003e\n", " \u003ctd\u003eOS\u003c/td\u003e\n", " \u003ctd\u003e/tmp/foo/baz/file1\u003c/td\u003e\n", " \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e2\u003c/th\u003e\n", " \u003ctd\u003e65\u003c/td\u003e\n", " \u003ctd\u003e4\u003c/td\u003e\n", " \u003ctd\u003eb'LINE'\u003c/td\u003e\n", " \u003ctd\u003eb'LINE'\u003c/td\u003e\n", " \u003ctd\u003eOS\u003c/td\u003e\n", " \u003ctd\u003e/tmp/foo/baz/file1\u003c/td\u003e\n", " \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003c/tbody\u003e\n", "\u003c/table\u003e\n", "\u003c/div\u003e" ], "text/plain": [ " offset length data data.pretty pathspec.pathtype pathspec.path \\\n", "0 18 4 b'line' b'line' OS /tmp/foo/baz/file1 \n", "1 42 4 b'line' b'line' OS /tmp/foo/baz/file1 \n", "2 65 4 b'LINE' b'LINE' OS /tmp/foo/baz/file1 \n", "\n", " pathspec.path_options \n", "0 CASE_LITERAL \n", "1 CASE_LITERAL \n", "2 CASE_LITERAL " ] }, "execution_count": 84, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "%grr_grep -X \"6c696e65\" file1" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "qR5t9eP7BfOK" }, "source": [ "There is a shortcut for `--fixed-strings` option. Globbing is also available here." ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 32 }, "colab_type": "code", "executionInfo": { "elapsed": 16254, "status": "ok", "timestamp": 1563984785932, "user_tz": -120 }, "id": "Sil8JPOdBoxy", "outputId": "db962b0c-f5d9-493e-b24e-dff3b9c39ef5" }, "outputs": [ { "data": { "text/html": [ "\u003cdiv\u003e\n", "\u003cstyle scoped\u003e\n", " .dataframe tbody tr th:only-of-type {\n", " vertical-align: middle;\n", " }\n", "\n", " .dataframe tbody tr th {\n", " vertical-align: top;\n", " }\n", "\n", " .dataframe thead th {\n", " text-align: right;\n", " }\n", "\u003c/style\u003e\n", "\u003ctable border=\"1\" class=\"dataframe\"\u003e\n", " \u003cthead\u003e\n", " \u003ctr style=\"text-align: right;\"\u003e\n", " \u003cth\u003e\u003c/th\u003e\n", " \u003cth\u003eoffset\u003c/th\u003e\n", " \u003cth\u003elength\u003c/th\u003e\n", " \u003cth\u003edata\u003c/th\u003e\n", " \u003cth\u003edata.pretty\u003c/th\u003e\n", " \u003cth\u003epathspec.pathtype\u003c/th\u003e\n", " \u003cth\u003epathspec.path\u003c/th\u003e\n", " \u003cth\u003epathspec.path_options\u003c/th\u003e\n", " \u003c/tr\u003e\n", " \u003c/thead\u003e\n", " \u003ctbody\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e0\u003c/th\u003e\n", " \u003ctd\u003e18\u003c/td\u003e\n", " \u003ctd\u003e4\u003c/td\u003e\n", " \u003ctd\u003eb'line'\u003c/td\u003e\n", " \u003ctd\u003eb'line'\u003c/td\u003e\n", " \u003ctd\u003eOS\u003c/td\u003e\n", " \u003ctd\u003e/tmp/foo/baz/file1\u003c/td\u003e\n", " \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e1\u003c/th\u003e\n", " \u003ctd\u003e42\u003c/td\u003e\n", " \u003ctd\u003e4\u003c/td\u003e\n", " \u003ctd\u003eb'line'\u003c/td\u003e\n", " \u003ctd\u003eb'line'\u003c/td\u003e\n", " \u003ctd\u003eOS\u003c/td\u003e\n", " \u003ctd\u003e/tmp/foo/baz/file1\u003c/td\u003e\n", " \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e2\u003c/th\u003e\n", " \u003ctd\u003e18\u003c/td\u003e\n", " \u003ctd\u003e4\u003c/td\u003e\n", " \u003ctd\u003eb'line'\u003c/td\u003e\n", " \u003ctd\u003eb'line'\u003c/td\u003e\n", " \u003ctd\u003eOS\u003c/td\u003e\n", " \u003ctd\u003e/tmp/foo/baz/file2\u003c/td\u003e\n", " \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003c/tbody\u003e\n", "\u003c/table\u003e\n", "\u003c/div\u003e" ], "text/plain": [ " offset length data data.pretty pathspec.pathtype pathspec.path \\\n", "0 18 4 b'line' b'line' OS /tmp/foo/baz/file1 \n", "1 42 4 b'line' b'line' OS /tmp/foo/baz/file1 \n", "2 18 4 b'line' b'line' OS /tmp/foo/baz/file2 \n", "\n", " pathspec.path_options \n", "0 CASE_LITERAL \n", "1 CASE_LITERAL \n", "2 CASE_LITERAL " ] }, "execution_count": 85, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "%grr_fgrep \"line\" \"file*\"" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": {}, "colab_type": "code", "id": "IfBBFAS098aw", "outputId": "9b3ffb9c-0c2f-4ffe-b5a2-11bf94d668aa" }, "outputs": [ { "data": { "text/html": [ "\u003cdiv\u003e\n", "\u003cstyle scoped\u003e\n", " .dataframe tbody tr th:only-of-type {\n", " vertical-align: middle;\n", " }\n", "\n", " .dataframe tbody tr th {\n", " vertical-align: top;\n", " }\n", "\n", " .dataframe thead th {\n", " text-align: right;\n", " }\n", "\u003c/style\u003e\n", "\u003ctable border=\"1\" class=\"dataframe\"\u003e\n", " \u003cthead\u003e\n", " \u003ctr style=\"text-align: right;\"\u003e\n", " \u003cth\u003e\u003c/th\u003e\n", " \u003cth\u003eoffset\u003c/th\u003e\n", " \u003cth\u003elength\u003c/th\u003e\n", " \u003cth\u003edata\u003c/th\u003e\n", " \u003cth\u003edata.pretty\u003c/th\u003e\n", " \u003cth\u003epathspec.pathtype\u003c/th\u003e\n", " \u003cth\u003epathspec.path\u003c/th\u003e\n", " \u003cth\u003epathspec.path_options\u003c/th\u003e\n", " \u003c/tr\u003e\n", " \u003c/thead\u003e\n", " \u003ctbody\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e0\u003c/th\u003e\n", " \u003ctd\u003e18\u003c/td\u003e\n", " \u003ctd\u003e4\u003c/td\u003e\n", " \u003ctd\u003eb'line'\u003c/td\u003e\n", " \u003ctd\u003eb'line'\u003c/td\u003e\n", " \u003ctd\u003eOS\u003c/td\u003e\n", " \u003ctd\u003e/tmp/foo/baz/file1\u003c/td\u003e\n", " \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e1\u003c/th\u003e\n", " \u003ctd\u003e42\u003c/td\u003e\n", " \u003ctd\u003e4\u003c/td\u003e\n", " \u003ctd\u003eb'line'\u003c/td\u003e\n", " \u003ctd\u003eb'line'\u003c/td\u003e\n", " \u003ctd\u003eOS\u003c/td\u003e\n", " \u003ctd\u003e/tmp/foo/baz/file1\u003c/td\u003e\n", " \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003c/tbody\u003e\n", "\u003c/table\u003e\n", "\u003c/div\u003e" ], "text/plain": [ " offset length data data.pretty pathspec.pathtype pathspec.path \\\n", "0 18 4 b'line' b'line' OS /tmp/foo/baz/file1 \n", "1 42 4 b'line' b'line' OS /tmp/foo/baz/file1 \n", "\n", " pathspec.path_options \n", "0 CASE_LITERAL \n", "1 CASE_LITERAL " ] }, "execution_count": 86, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "%grr_fgrep -X \"6c696e65\" file1" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "0r9nn9cxQ9qk" }, "source": [ "If the file is too large and you'd like to download it then use `wget`:" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 34 }, "colab_type": "code", "executionInfo": { "elapsed": 690, "status": "ok", "timestamp": 1564580549980, "user_tz": -120 }, "id": "NIhjTNMds4pP", "outputId": "71dcc604-065f-4274-c0af-b547b1c5394b" }, "outputs": [ { "data": { "text/plain": [ "'http://localhost:8000//api/clients/C.dc3782aeab2c5b4c/vfs-blob/fs/os/tmp/foo/baz/file1'" ] }, "execution_count": 87, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "%grr_wget file1" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "NWELaMAwROtT" }, "source": [ "You can also download a cached version:" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 34 }, "colab_type": "code", "executionInfo": { "elapsed": 275, "status": "ok", "timestamp": 1564580590883, "user_tz": -120 }, "id": "5P-uy2IARMDK", "outputId": "829b6530-d9c3-4bc9-d567-ea70e5371b77" }, "outputs": [ { "data": { "text/plain": [ "'http://localhost:8000//api/clients/C.dc3782aeab2c5b4c/vfs-blob/fs/os/tmp/foo/baz/file1'" ] }, "execution_count": 88, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "%grr_wget file1 -C" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "NYOgdzRuDy45" }, "source": [ "You can specify path type with `--path-type` flag (`-P` for short) for all filesystem related magics. The available values are `os` (default), `tsk`, `ntfs`, `registry`." ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": {}, "colab_type": "code", "id": "D8kDlt0xDy45", "outputId": "c8b67594-bc1c-45d9-ddf0-c02c337eb6e4" }, "outputs": [ { "data": { "text/html": [ "\u003cdiv\u003e\n", "\u003cstyle scoped\u003e\n", " .dataframe tbody tr th:only-of-type {\n", " vertical-align: middle;\n", " }\n", "\n", " .dataframe tbody tr th {\n", " vertical-align: top;\n", " }\n", "\n", " .dataframe thead th {\n", " text-align: right;\n", " }\n", "\u003c/style\u003e\n", "\u003ctable border=\"1\" class=\"dataframe\"\u003e\n", " \u003cthead\u003e\n", " \u003ctr style=\"text-align: right;\"\u003e\n", " \u003cth\u003e\u003c/th\u003e\n", " \u003cth\u003est_mode\u003c/th\u003e\n", " \u003cth\u003est_mode.pretty\u003c/th\u003e\n", " \u003cth\u003est_ino\u003c/th\u003e\n", " \u003cth\u003est_dev\u003c/th\u003e\n", " \u003cth\u003est_nlink\u003c/th\u003e\n", " \u003cth\u003est_uid\u003c/th\u003e\n", " \u003cth\u003est_gid\u003c/th\u003e\n", " \u003cth\u003est_size\u003c/th\u003e\n", " \u003cth\u003est_atime\u003c/th\u003e\n", " \u003cth\u003est_mtime\u003c/th\u003e\n", " \u003cth\u003est_ctime\u003c/th\u003e\n", " \u003cth\u003est_blocks\u003c/th\u003e\n", " \u003cth\u003est_blksize\u003c/th\u003e\n", " \u003cth\u003est_rdev\u003c/th\u003e\n", " \u003cth\u003epathspec.pathtype\u003c/th\u003e\n", " \u003cth\u003epathspec.path\u003c/th\u003e\n", " \u003cth\u003epathspec.path_options\u003c/th\u003e\n", " \u003cth\u003est_flags_osx\u003c/th\u003e\n", " \u003cth\u003est_flags_linux\u003c/th\u003e\n", " \u003c/tr\u003e\n", " \u003c/thead\u003e\n", " \u003ctbody\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e0\u003c/th\u003e\n", " \u003ctd\u003e16877\u003c/td\u003e\n", " \u003ctd\u003edrwxr-xr-x\u003c/td\u003e\n", " \u003ctd\u003e17696532\u003c/td\u003e\n", " \u003ctd\u003e65025\u003c/td\u003e\n", " \u003ctd\u003e2\u003c/td\u003e\n", " \u003ctd\u003e585945\u003c/td\u003e\n", " \u003ctd\u003e89939\u003c/td\u003e\n", " \u003ctd\u003e4096\u003c/td\u003e\n", " \u003ctd\u003e1567157599\u003c/td\u003e\n", " \u003ctd\u003e1567157599\u003c/td\u003e\n", " \u003ctd\u003e1567157599\u003c/td\u003e\n", " \u003ctd\u003e8\u003c/td\u003e\n", " \u003ctd\u003e4096\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003eOS\u003c/td\u003e\n", " \u003ctd\u003e/tmp/foo/baz/dir1\u003c/td\u003e\n", " \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003e524288\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e1\u003c/th\u003e\n", " \u003ctd\u003e16877\u003c/td\u003e\n", " \u003ctd\u003edrwxr-xr-x\u003c/td\u003e\n", " \u003ctd\u003e17832583\u003c/td\u003e\n", " \u003ctd\u003e65025\u003c/td\u003e\n", " \u003ctd\u003e3\u003c/td\u003e\n", " \u003ctd\u003e585945\u003c/td\u003e\n", " \u003ctd\u003e89939\u003c/td\u003e\n", " \u003ctd\u003e4096\u003c/td\u003e\n", " \u003ctd\u003e1567157734\u003c/td\u003e\n", " \u003ctd\u003e1567157599\u003c/td\u003e\n", " \u003ctd\u003e1567157599\u003c/td\u003e\n", " \u003ctd\u003e8\u003c/td\u003e\n", " \u003ctd\u003e4096\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003eOS\u003c/td\u003e\n", " \u003ctd\u003e/tmp/foo/baz/dir2\u003c/td\u003e\n", " \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003e524288\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e2\u003c/th\u003e\n", " \u003ctd\u003e33188\u003c/td\u003e\n", " \u003ctd\u003e-rw-r--r--\u003c/td\u003e\n", " \u003ctd\u003e17696534\u003c/td\u003e\n", " \u003ctd\u003e65025\u003c/td\u003e\n", " \u003ctd\u003e1\u003c/td\u003e\n", " \u003ctd\u003e585945\u003c/td\u003e\n", " \u003ctd\u003e89939\u003c/td\u003e\n", " \u003ctd\u003e70\u003c/td\u003e\n", " \u003ctd\u003e1567158029\u003c/td\u003e\n", " \u003ctd\u003e1567157649\u003c/td\u003e\n", " \u003ctd\u003e1567157649\u003c/td\u003e\n", " \u003ctd\u003e8\u003c/td\u003e\n", " \u003ctd\u003e4096\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003eOS\u003c/td\u003e\n", " \u003ctd\u003e/tmp/foo/baz/file1\u003c/td\u003e\n", " \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003e524288\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e3\u003c/th\u003e\n", " \u003ctd\u003e33188\u003c/td\u003e\n", " \u003ctd\u003e-rw-r--r--\u003c/td\u003e\n", " \u003ctd\u003e17696533\u003c/td\u003e\n", " \u003ctd\u003e65025\u003c/td\u003e\n", " \u003ctd\u003e1\u003c/td\u003e\n", " \u003ctd\u003e585945\u003c/td\u003e\n", " \u003ctd\u003e89939\u003c/td\u003e\n", " \u003ctd\u003e23\u003c/td\u003e\n", " \u003ctd\u003e1567158209\u003c/td\u003e\n", " \u003ctd\u003e1567157627\u003c/td\u003e\n", " \u003ctd\u003e1567157627\u003c/td\u003e\n", " \u003ctd\u003e8\u003c/td\u003e\n", " \u003ctd\u003e4096\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003eOS\u003c/td\u003e\n", " \u003ctd\u003e/tmp/foo/baz/file2\u003c/td\u003e\n", " \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003e524288\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003c/tbody\u003e\n", "\u003c/table\u003e\n", "\u003c/div\u003e" ], "text/plain": [ " st_mode st_mode.pretty st_ino st_dev st_nlink st_uid st_gid \\\n", "0 16877 drwxr-xr-x 17696532 65025 2 585945 89939 \n", "1 16877 drwxr-xr-x 17832583 65025 3 585945 89939 \n", "2 33188 -rw-r--r-- 17696534 65025 1 585945 89939 \n", "3 33188 -rw-r--r-- 17696533 65025 1 585945 89939 \n", "\n", " st_size st_atime st_mtime st_ctime st_blocks st_blksize \\\n", "0 4096 1567157599 1567157599 1567157599 8 4096 \n", "1 4096 1567157734 1567157599 1567157599 8 4096 \n", "2 70 1567158029 1567157649 1567157649 8 4096 \n", "3 23 1567158209 1567157627 1567157627 8 4096 \n", "\n", " st_rdev pathspec.pathtype pathspec.path pathspec.path_options \\\n", "0 0 OS /tmp/foo/baz/dir1 CASE_LITERAL \n", "1 0 OS /tmp/foo/baz/dir2 CASE_LITERAL \n", "2 0 OS /tmp/foo/baz/file1 CASE_LITERAL \n", "3 0 OS /tmp/foo/baz/file2 CASE_LITERAL \n", "\n", " st_flags_osx st_flags_linux \n", "0 0 524288 \n", "1 0 524288 \n", "2 0 524288 \n", "3 0 524288 " ] }, "execution_count": 89, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "%grr_ls -P os -C" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "czHvTr5SGVrD" }, "source": [ "### System information" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "JsZY4a0iDJaW" }, "source": [ "Names of the functions are the same as in bash for simplicity." ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "Iwk1_PKZDZSF" }, "source": [ "Printing hostname of the client:" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": {}, "colab_type": "code", "id": "WnZUZlF2CdIh" }, "outputs": [], "source": [ "%grr_hostname" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "SlHDujKvDdvH" }, "source": [ "Getting network interfaces info:" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": {}, "colab_type": "code", "id": "mNuaPAXkCkrG" }, "outputs": [], "source": [ "ifaces = %grr_ifconfig " ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "WjfszQz5CzY5" }, "source": [ "For mac address fields there are also two columns: one with the original bytes type but not representable and pretty one with string representation of mac address." ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 111 }, "colab_type": "code", "executionInfo": { "elapsed": 53, "status": "ok", "timestamp": 1563441679247, "user_tz": -120 }, "id": "W0kCtinHCi1v", "outputId": "14c96b09-6964-46cc-c4ee-5882002fbd52" }, "outputs": [ { "data": { "text/html": [ "\u003cdiv\u003e\n", "\u003cstyle scoped\u003e\n", " .dataframe tbody tr th:only-of-type {\n", " vertical-align: middle;\n", " }\n", "\n", " .dataframe tbody tr th {\n", " vertical-align: top;\n", " }\n", "\n", " .dataframe thead th {\n", " text-align: right;\n", " }\n", "\u003c/style\u003e\n", "\u003ctable border=\"1\" class=\"dataframe\"\u003e\n", " \u003cthead\u003e\n", " \u003ctr style=\"text-align: right;\"\u003e\n", " \u003cth\u003e\u003c/th\u003e\n", " \u003cth\u003emac_address\u003c/th\u003e\n", " \u003cth\u003emac_address.pretty\u003c/th\u003e\n", " \u003c/tr\u003e\n", " \u003c/thead\u003e\n", " \u003ctbody\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e1\u003c/th\u003e\n", " \u003ctd\u003eb'\\x00\\x00\\x00\\x00\\x00\\x00'\u003c/td\u003e\n", " \u003ctd\u003e00:00:00:00:00:00\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003c/tbody\u003e\n", "\u003c/table\u003e\n", "\u003c/div\u003e" ], "text/plain": [ " mac_address mac_address.pretty\n", "1 b'\\x00\\x00\\x00\\x00\\x00\\x00' 00:00:00:00:00:00" ] }, "execution_count": 91, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "ifaces[['mac_address', 'mac_address.pretty']][1:]" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "QPVhNz-3Drul" }, "source": [ "If a field contains a collection then the cell in the dataframe is represented as another dataframe. IP address fields also have two representations." ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 142 }, "colab_type": "code", "executionInfo": { "elapsed": 35, "status": "ok", "timestamp": 1563444452885, "user_tz": -120 }, "id": "efpRK-m8Dlyl", "outputId": "c0105d07-0c24-4857-ad00-7020b0f8b086" }, "outputs": [ { "data": { "text/html": [ "\u003cdiv\u003e\n", "\u003cstyle scoped\u003e\n", " .dataframe tbody tr th:only-of-type {\n", " vertical-align: middle;\n", " }\n", "\n", " .dataframe tbody tr th {\n", " vertical-align: top;\n", " }\n", "\n", " .dataframe thead th {\n", " text-align: right;\n", " }\n", "\u003c/style\u003e\n", "\u003ctable border=\"1\" class=\"dataframe\"\u003e\n", " \u003cthead\u003e\n", " \u003ctr style=\"text-align: right;\"\u003e\n", " \u003cth\u003e\u003c/th\u003e\n", " \u003cth\u003eaddress_type\u003c/th\u003e\n", " \u003cth\u003epacked_bytes\u003c/th\u003e\n", " \u003cth\u003epacked_bytes.pretty\u003c/th\u003e\n", " \u003c/tr\u003e\n", " \u003c/thead\u003e\n", " \u003ctbody\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e0\u003c/th\u003e\n", " \u003ctd\u003eINET\u003c/td\u003e\n", " \u003ctd\u003eb'\\x7f\\x00\\x00\\x01'\u003c/td\u003e\n", " \u003ctd\u003e127.0.0.1\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e1\u003c/th\u003e\n", " \u003ctd\u003eINET6\u003c/td\u003e\n", " \u003ctd\u003eb'\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00...\u003c/td\u003e\n", " \u003ctd\u003e::1\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003c/tbody\u003e\n", "\u003c/table\u003e\n", "\u003c/div\u003e" ], "text/plain": [ " address_type packed_bytes \\\n", "0 INET b'\\x7f\\x00\\x00\\x01' \n", "1 INET6 b'\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00... \n", "\n", " packed_bytes.pretty \n", "0 127.0.0.1 \n", "1 ::1 " ] }, "execution_count": 92, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "ifaces['addresses'][1]" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "Q-FNhF5rEWC7" }, "source": [ "For `uname` command only two options are available: `--machine` that prints the machine architecture and `--kernel-release`." ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 34 }, "colab_type": "code", "executionInfo": { "elapsed": 221, "status": "ok", "timestamp": 1563352562153, "user_tz": -120 }, "id": "Hmj3MJw-EqZa", "outputId": "1f0e9f91-c8e6-4be9-fbfc-65767df4434e" }, "outputs": [ { "data": { "text/plain": [ "'x86_64'" ] }, "execution_count": 93, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "%grr_uname -m" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 34 }, "colab_type": "code", "executionInfo": { "elapsed": 25, "status": "ok", "timestamp": 1563352563896, "user_tz": -120 }, "id": "jSrY9XYGEsoi", "outputId": "f1e160ff-3807-4f56-e3fa-31af25ea9936" }, "outputs": [ { "data": { "text/plain": [ "'4.19.37-5rodete4-amd64'" ] }, "execution_count": 94, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "%grr_uname -r" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "q5p55987E2-p" }, "source": [ "To get the client summary you can simply call interrogate flow. " ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 117 }, "colab_type": "code", "executionInfo": { "elapsed": 31886, "status": "ok", "timestamp": 1563352720794, "user_tz": -120 }, "id": "zeFrHVBLE-G5", "outputId": "665311dd-5ac0-40fe-8a91-dcd1d3cdeeba" }, "outputs": [ { "data": { "text/html": [ "\u003cdiv\u003e\n", "\u003cstyle scoped\u003e\n", " .dataframe tbody tr th:only-of-type {\n", " vertical-align: middle;\n", " }\n", "\n", " .dataframe tbody tr th {\n", " vertical-align: top;\n", " }\n", "\n", " .dataframe thead th {\n", " text-align: right;\n", " }\n", "\u003c/style\u003e\n", "\u003ctable border=\"1\" class=\"dataframe\"\u003e\n", " \u003cthead\u003e\n", " \u003ctr style=\"text-align: right;\"\u003e\n", " \u003cth\u003e\u003c/th\u003e\n", " \u003cth\u003eclient_id\u003c/th\u003e\n", " \u003cth\u003esystem_info.system\u003c/th\u003e\n", " \u003cth\u003esystem_info.machine\u003c/th\u003e\n", " \u003c/tr\u003e\n", " \u003c/thead\u003e\n", " \u003ctbody\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e0\u003c/th\u003e\n", " \u003ctd\u003eaff4:/C.dc3782aeab2c5b4c\u003c/td\u003e\n", " \u003ctd\u003eLinux\u003c/td\u003e\n", " \u003ctd\u003ex86_64\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003c/tbody\u003e\n", "\u003c/table\u003e\n", "\u003c/div\u003e" ], "text/plain": [ " client_id system_info.system system_info.machine\n", "0 aff4:/C.dc3782aeab2c5b4c Linux x86_64" ] }, "execution_count": 97, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "df = %grr_interrogate\n", "df[['client_id', 'system_info.system', 'system_info.machine']]" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "lPq0waOUFFsK" }, "source": [ "There is also possible to get info about processes that are running on client machine:" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 241 }, "colab_type": "code", "executionInfo": { "elapsed": 22535, "status": "ok", "timestamp": 1563352905917, "user_tz": -120 }, "id": "yhcCXQ4LFFBp", "outputId": "a12b523c-0e5c-40af-8dca-78b925cf4151" }, "outputs": [ { "data": { "text/html": [ "\u003cdiv\u003e\n", "\u003cstyle scoped\u003e\n", " .dataframe tbody tr th:only-of-type {\n", " vertical-align: middle;\n", " }\n", "\n", " .dataframe tbody tr th {\n", " vertical-align: top;\n", " }\n", "\n", " .dataframe thead th {\n", " text-align: right;\n", " }\n", "\u003c/style\u003e\n", "\u003ctable border=\"1\" class=\"dataframe\"\u003e\n", " \u003cthead\u003e\n", " \u003ctr style=\"text-align: right;\"\u003e\n", " \u003cth\u003e\u003c/th\u003e\n", " \u003cth\u003epid\u003c/th\u003e\n", " \u003cth\u003eppid\u003c/th\u003e\n", " \u003cth\u003ename\u003c/th\u003e\n", " \u003cth\u003eexe\u003c/th\u003e\n", " \u003cth\u003ecmdline\u003c/th\u003e\n", " \u003cth\u003ectime\u003c/th\u003e\n", " \u003cth\u003ereal_uid\u003c/th\u003e\n", " \u003cth\u003eeffective_uid\u003c/th\u003e\n", " \u003cth\u003esaved_uid\u003c/th\u003e\n", " \u003cth\u003ereal_gid\u003c/th\u003e\n", " \u003cth\u003e...\u003c/th\u003e\n", " \u003cth\u003estatus\u003c/th\u003e\n", " \u003cth\u003enice\u003c/th\u003e\n", " \u003cth\u003ecwd\u003c/th\u003e\n", " \u003cth\u003enum_threads\u003c/th\u003e\n", " \u003cth\u003euser_cpu_time\u003c/th\u003e\n", " \u003cth\u003esystem_cpu_time\u003c/th\u003e\n", " \u003cth\u003eRSS_size\u003c/th\u003e\n", " \u003cth\u003eVMS_size\u003c/th\u003e\n", " \u003cth\u003ememory_percent\u003c/th\u003e\n", " \u003cth\u003econnections\u003c/th\u003e\n", " \u003c/tr\u003e\n", " \u003c/thead\u003e\n", " \u003ctbody\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e0\u003c/th\u003e\n", " \u003ctd\u003e1\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003esystemd\u003c/td\u003e\n", " \u003ctd\u003e/usr/lib/systemd/systemd\u003c/td\u003e\n", " \u003ctd\u003e0\n", "0 /lib/systemd/system...\u003c/td\u003e\n", " \u003ctd\u003e1565017014530000\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003e...\u003c/td\u003e\n", " \u003ctd\u003esleeping\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003e/\u003c/td\u003e\n", " \u003ctd\u003e1\u003c/td\u003e\n", " \u003ctd\u003e78.779999\u003c/td\u003e\n", " \u003ctd\u003e53.02000\u003c/td\u003e\n", " \u003ctd\u003e9670656\u003c/td\u003e\n", " \u003ctd\u003e230248448\u003c/td\u003e\n", " \u003ctd\u003e0.014377\u003c/td\u003e\n", " \u003ctd\u003eNaN\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e1\u003c/th\u003e\n", " \u003ctd\u003e520\u003c/td\u003e\n", " \u003ctd\u003e1\u003c/td\u003e\n", " \u003ctd\u003elvmetad\u003c/td\u003e\n", " \u003ctd\u003e/usr/sbin/lvmetad\u003c/td\u003e\n", " \u003ctd\u003e0\n", "0 /sbin/lvmetad\n", "1 ...\u003c/td\u003e\n", " \u003ctd\u003e1565017041170000\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003e...\u003c/td\u003e\n", " \u003ctd\u003esleeping\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003e/\u003c/td\u003e\n", " \u003ctd\u003e1\u003c/td\u003e\n", " \u003ctd\u003e0.050000\u003c/td\u003e\n", " \u003ctd\u003e0.05000\u003c/td\u003e\n", " \u003ctd\u003e1937408\u003c/td\u003e\n", " \u003ctd\u003e108138496\u003c/td\u003e\n", " \u003ctd\u003e0.002880\u003c/td\u003e\n", " \u003ctd\u003eNaN\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e2\u003c/th\u003e\n", " \u003ctd\u003e759\u003c/td\u003e\n", " \u003ctd\u003e1\u003c/td\u003e\n", " \u003ctd\u003erpc.svcgssd\u003c/td\u003e\n", " \u003ctd\u003e/usr/sbin/rpc.svcgssd\u003c/td\u003e\n", " \u003ctd\u003e0\n", "0 /usr/sbin/rpc.svcgssd\u003c/td\u003e\n", " \u003ctd\u003e1565017041590000\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003e...\u003c/td\u003e\n", " \u003ctd\u003esleeping\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003e/\u003c/td\u003e\n", " \u003ctd\u003e1\u003c/td\u003e\n", " \u003ctd\u003e0.000000\u003c/td\u003e\n", " \u003ctd\u003e0.00000\u003c/td\u003e\n", " \u003ctd\u003e3215360\u003c/td\u003e\n", " \u003ctd\u003e31694848\u003c/td\u003e\n", " \u003ctd\u003e0.004780\u003c/td\u003e\n", " \u003ctd\u003eNaN\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e3\u003c/th\u003e\n", " \u003ctd\u003e760\u003c/td\u003e\n", " \u003ctd\u003e1\u003c/td\u003e\n", " \u003ctd\u003erpc.gssd\u003c/td\u003e\n", " \u003ctd\u003e/usr/sbin/rpc.gssd\u003c/td\u003e\n", " \u003ctd\u003e0\n", "0 /usr/sbin/rpc.gssd\n", "1 ...\u003c/td\u003e\n", " \u003ctd\u003e1565017041600000\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003e...\u003c/td\u003e\n", " \u003ctd\u003esleeping\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003e/run/rpc_pipefs\u003c/td\u003e\n", " \u003ctd\u003e1\u003c/td\u003e\n", " \u003ctd\u003e0.000000\u003c/td\u003e\n", " \u003ctd\u003e0.00000\u003c/td\u003e\n", " \u003ctd\u003e299008\u003c/td\u003e\n", " \u003ctd\u003e27766784\u003c/td\u003e\n", " \u003ctd\u003e0.000445\u003c/td\u003e\n", " \u003ctd\u003eNaN\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e4\u003c/th\u003e\n", " \u003ctd\u003e848\u003c/td\u003e\n", " \u003ctd\u003e1\u003c/td\u003e\n", " \u003ctd\u003emgagentxp_script_runner.par\u003c/td\u003e\n", " \u003ctd\u003e/usr/bin/mgagentxp_script_runner.par\u003c/td\u003e\n", " \u003ctd\u003e...\u003c/td\u003e\n", " \u003ctd\u003e1565017042310000\u003c/td\u003e\n", " \u003ctd\u003e65534\u003c/td\u003e\n", " \u003ctd\u003e65534\u003c/td\u003e\n", " \u003ctd\u003e65534\u003c/td\u003e\n", " \u003ctd\u003e1001\u003c/td\u003e\n", " \u003ctd\u003e...\u003c/td\u003e\n", " \u003ctd\u003esleeping\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003e/\u003c/td\u003e\n", " \u003ctd\u003e5\u003c/td\u003e\n", " \u003ctd\u003e424.779999\u003c/td\u003e\n", " \u003ctd\u003e490.51001\u003c/td\u003e\n", " \u003ctd\u003e25403392\u003c/td\u003e\n", " \u003ctd\u003e1131827200\u003c/td\u003e\n", " \u003ctd\u003e0.037767\u003c/td\u003e\n", " \u003ctd\u003eNaN\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003c/tbody\u003e\n", "\u003c/table\u003e\n", "\u003cp\u003e5 rows × 24 columns\u003c/p\u003e\n", "\u003c/div\u003e" ], "text/plain": [ " pid ppid name \\\n", "0 1 0 systemd \n", "1 520 1 lvmetad \n", "2 759 1 rpc.svcgssd \n", "3 760 1 rpc.gssd \n", "4 848 1 mgagentxp_script_runner.par \n", "\n", " exe \\\n", "0 /usr/lib/systemd/systemd \n", "1 /usr/sbin/lvmetad \n", "2 /usr/sbin/rpc.svcgssd \n", "3 /usr/sbin/rpc.gssd \n", "4 /usr/bin/mgagentxp_script_runner.par \n", "\n", " cmdline ctime \\\n", "0 0\n", "0 /lib/systemd/system... 1565017014530000 \n", "1 0\n", "0 /sbin/lvmetad\n", "1 ... 1565017041170000 \n", "2 0\n", "0 /usr/sbin/rpc.svcgssd 1565017041590000 \n", "3 0\n", "0 /usr/sbin/rpc.gssd\n", "1 ... 1565017041600000 \n", "4 ... 1565017042310000 \n", "\n", " real_uid effective_uid saved_uid real_gid ... status nice \\\n", "0 0 0 0 0 ... sleeping 0 \n", "1 0 0 0 0 ... sleeping 0 \n", "2 0 0 0 0 ... sleeping 0 \n", "3 0 0 0 0 ... sleeping 0 \n", "4 65534 65534 65534 1001 ... sleeping 0 \n", "\n", " cwd num_threads user_cpu_time system_cpu_time RSS_size \\\n", "0 / 1 78.779999 53.02000 9670656 \n", "1 / 1 0.050000 0.05000 1937408 \n", "2 / 1 0.000000 0.00000 3215360 \n", "3 /run/rpc_pipefs 1 0.000000 0.00000 299008 \n", "4 / 5 424.779999 490.51001 25403392 \n", "\n", " VMS_size memory_percent connections \n", "0 230248448 0.014377 NaN \n", "1 108138496 0.002880 NaN \n", "2 31694848 0.004780 NaN \n", "3 27766784 0.000445 NaN \n", "4 1131827200 0.037767 NaN \n", "\n", "[5 rows x 24 columns]" ] }, "execution_count": 98, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "ps = %grr_ps\n", "ps[:5]" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "2U7Riu4HFnWA" }, "source": [ "To fetch some system information you can also use osquery. Osquery tables are also converted to dataframes." ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 328 }, "colab_type": "code", "executionInfo": { "elapsed": 16312, "status": "ok", "timestamp": 1564582660644, "user_tz": -120 }, "id": "yNyEQf2tGGNQ", "outputId": "59f9f7f5-8cb6-4b45-e158-01c7a93a3c7a" }, "outputs": [ { "data": { "text/html": [ "\u003cdiv\u003e\n", "\u003cstyle scoped\u003e\n", " .dataframe tbody tr th:only-of-type {\n", " vertical-align: middle;\n", " }\n", "\n", " .dataframe tbody tr th {\n", " vertical-align: top;\n", " }\n", "\n", " .dataframe thead th {\n", " text-align: right;\n", " }\n", "\u003c/style\u003e\n", "\u003ctable border=\"1\" class=\"dataframe\"\u003e\n", " \u003cthead\u003e\n", " \u003ctr style=\"text-align: right;\"\u003e\n", " \u003cth\u003e\u003c/th\u003e\n", " \u003cth\u003ecmdline\u003c/th\u003e\n", " \u003cth\u003ename\u003c/th\u003e\n", " \u003cth\u003enice\u003c/th\u003e\n", " \u003cth\u003epid\u003c/th\u003e\n", " \u003cth\u003estate\u003c/th\u003e\n", " \u003cth\u003ethreads\u003c/th\u003e\n", " \u003c/tr\u003e\n", " \u003c/thead\u003e\n", " \u003ctbody\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e0\u003c/th\u003e\n", " \u003ctd\u003e\u003c/td\u003e\n", " \u003ctd\u003ekworker/4:1H-kblockd\u003c/td\u003e\n", " \u003ctd\u003e-20\u003c/td\u003e\n", " \u003ctd\u003e500\u003c/td\u003e\n", " \u003ctd\u003eI\u003c/td\u003e\n", " \u003ctd\u003e1\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e1\u003c/th\u003e\n", " \u003ctd\u003e\u003c/td\u003e\n", " \u003ctd\u003erpciod\u003c/td\u003e\n", " \u003ctd\u003e-20\u003c/td\u003e\n", " \u003ctd\u003e505\u003c/td\u003e\n", " \u003ctd\u003eI\u003c/td\u003e\n", " \u003ctd\u003e1\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e2\u003c/th\u003e\n", " \u003ctd\u003e\u003c/td\u003e\n", " \u003ctd\u003exprtiod\u003c/td\u003e\n", " \u003ctd\u003e-20\u003c/td\u003e\n", " \u003ctd\u003e506\u003c/td\u003e\n", " \u003ctd\u003eI\u003c/td\u003e\n", " \u003ctd\u003e1\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e3\u003c/th\u003e\n", " \u003ctd\u003e/sbin/lvmetad -f\u003c/td\u003e\n", " \u003ctd\u003elvmetad\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003e520\u003c/td\u003e\n", " \u003ctd\u003eS\u003c/td\u003e\n", " \u003ctd\u003e1\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003c/tbody\u003e\n", "\u003c/table\u003e\n", "\u003c/div\u003e" ], "text/plain": [ " cmdline name nice pid state threads\n", "0 kworker/4:1H-kblockd -20 500 I 1\n", "1 rpciod -20 505 I 1\n", "2 xprtiod -20 506 I 1\n", "3 /sbin/lvmetad -f lvmetad 0 520 S 1" ] }, "execution_count": 99, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "%grr_osqueryi \"SELECT pid, name, cmdline, state, nice, threads FROM processes WHERE pid \u003e= 440 and pid \u003c 600;\"" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "jL65ahsiRdc9" }, "source": [ "Running YARA for scanning processes is also available." ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 1000 }, "colab_type": "code", "executionInfo": { "elapsed": 104847, "status": "ok", "timestamp": 1563543214543, "user_tz": -120 }, "id": "lOO65oYzbWmU", "outputId": "ad583f42-fc6d-414b-9fb5-894ae1ea69c4" }, "outputs": [ { "data": { "text/html": [ "\u003cdiv\u003e\n", "\u003cstyle scoped\u003e\n", " .dataframe tbody tr th:only-of-type {\n", " vertical-align: middle;\n", " }\n", "\n", " .dataframe tbody tr th {\n", " vertical-align: top;\n", " }\n", "\n", " .dataframe thead th {\n", " text-align: right;\n", " }\n", "\u003c/style\u003e\n", "\u003ctable border=\"1\" class=\"dataframe\"\u003e\n", " \u003cthead\u003e\n", " \u003ctr style=\"text-align: right;\"\u003e\n", " \u003cth\u003e\u003c/th\u003e\n", " \u003cth\u003eprocess.pid\u003c/th\u003e\n", " \u003cth\u003eprocess.name\u003c/th\u003e\n", " \u003cth\u003eprocess.exe\u003c/th\u003e\n", " \u003c/tr\u003e\n", " \u003c/thead\u003e\n", " \u003ctbody\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e0\u003c/th\u003e\n", " \u003ctd\u003e63438\u003c/td\u003e\n", " \u003ctd\u003epython3\u003c/td\u003e\n", " \u003ctd\u003e/opt/python/3.7/bin/python3.7\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003c/tbody\u003e\n", "\u003c/table\u003e\n", "\u003c/div\u003e" ], "text/plain": [ " process.pid process.name process.exe\n", "0 63438 python3 /opt/python/3.7/bin/python3.7" ] }, "execution_count": 100, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "import os \n", "\n", "pid = os.getpid()\n", "data = \"dadasdasdasdjaskdakdaskdakjdkjadkjakjjdsgkngksfkjadsjnfandankjd\"\n", "rule = 'rule TextExample {{ strings: $text_string = \"{data}\" condition: $text_string }}'.format(data=data)\n", "\n", "df = %grr_yara '{rule}' -p {pid}\n", "df[['process.pid', 'process.name', 'process.exe']]" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "AtfQUmUzGZez" }, "source": [ "### Configuring flow timeout" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "Fsd4AG0kG8A8" }, "source": [ "The default flow timeout is 30 seconds. It's time the function waits for a flow to complete. You can configure this timeout with `grr_set_flow_timeout` specifying number of seconds to wait. For examples, this will set the timeout to a minute:" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": {}, "colab_type": "code", "id": "ZNVey7oXH68q" }, "outputs": [], "source": [ "%grr_set_flow_timeout 60" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "6KVqqAIHHVzz" }, "source": [ "To tell functions to wait for the flows forever until they are completed:" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": {}, "colab_type": "code", "id": "RmvydfP5Hn8R" }, "outputs": [], "source": [ "%grr_set_no_flow_timeout" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "WOMMlijizLEJ" }, "source": [ "To set timeout to default value of 30 seconds:" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": {}, "colab_type": "code", "id": "X7wcgFgpzSyq" }, "outputs": [], "source": [ "%grr_set_default_flow_timeout" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "d0_E6iUtHqQa" }, "source": [ "Setting timeout to 0 tells functions not to wait at all and exit immediately after the flow starts." ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": {}, "colab_type": "code", "id": "Km8PM9DxIK9J" }, "outputs": [], "source": [ "%grr_set_flow_timeout 0" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "FazHWCkwIM7J" }, "source": [ "In case timeout is exceeded (or you set 0 timeout) you will se such error with a link to Admin UI." ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "AalfPJo3B-ef" }, "source": [ "### Collecting artifacts" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "GN_k0LguRqGo" }, "source": [ "You can first list all the artifacts that you can collect:" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 1000 }, "colab_type": "code", "executionInfo": { "elapsed": 33511, "status": "ok", "timestamp": 1563956618090, "user_tz": -120 }, "id": "TpeV7QkNiRQ-", "outputId": "50b08306-a991-4bc6-9d81-0d578d0fb5a6" }, "outputs": [ { "data": { "text/html": [ "\u003cdiv\u003e\n", "\u003cstyle scoped\u003e\n", " .dataframe tbody tr th:only-of-type {\n", " vertical-align: middle;\n", " }\n", "\n", " .dataframe tbody tr th {\n", " vertical-align: top;\n", " }\n", "\n", " .dataframe thead th {\n", " text-align: right;\n", " }\n", "\u003c/style\u003e\n", "\u003ctable border=\"1\" class=\"dataframe\"\u003e\n", " \u003cthead\u003e\n", " \u003ctr style=\"text-align: right;\"\u003e\n", " \u003cth\u003e\u003c/th\u003e\n", " \u003cth\u003eartifact.name\u003c/th\u003e\n", " \u003cth\u003eartifact.doc\u003c/th\u003e\n", " \u003cth\u003eartifact.supported_os\u003c/th\u003e\n", " \u003cth\u003eartifact.labels\u003c/th\u003e\n", " \u003cth\u003eartifact.urls\u003c/th\u003e\n", " \u003cth\u003eartifact.sources\u003c/th\u003e\n", " \u003cth\u003eis_custom\u003c/th\u003e\n", " \u003cth\u003eerror_message\u003c/th\u003e\n", " \u003cth\u003edependencies\u003c/th\u003e\n", " \u003cth\u003eartifact.provides\u003c/th\u003e\n", " \u003cth\u003epath_dependencies\u003c/th\u003e\n", " \u003cth\u003eprocessors\u003c/th\u003e\n", " \u003cth\u003eartifact.conditions\u003c/th\u003e\n", " \u003c/tr\u003e\n", " \u003c/thead\u003e\n", " \u003ctbody\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e0\u003c/th\u003e\n", " \u003ctd\u003eAPTSources\u003c/td\u003e\n", " \u003ctd\u003eAPT package sources list\u003c/td\u003e\n", " \u003ctd\u003e0\n", "0 Linux\u003c/td\u003e\n", " \u003ctd\u003e0\n", "0 Configuration Files\n", "...\u003c/td\u003e\n", " \u003ctd\u003e...\u003c/td\u003e\n", " \u003ctd\u003etype at...\u003c/td\u003e\n", " \u003ctd\u003eFalse\u003c/td\u003e\n", " \u003ctd\u003e\u003c/td\u003e\n", " \u003ctd\u003eNaN\u003c/td\u003e\n", " \u003ctd\u003eNaN\u003c/td\u003e\n", " \u003ctd\u003eNaN\u003c/td\u003e\n", " \u003ctd\u003eNaN\u003c/td\u003e\n", " \u003ctd\u003eNaN\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e1\u003c/th\u003e\n", " \u003ctd\u003eAPTTrustKeys\u003c/td\u003e\n", " \u003ctd\u003eAPT trusted keys\u003c/td\u003e\n", " \u003ctd\u003e0\n", "0 Linux\u003c/td\u003e\n", " \u003ctd\u003e0\n", "0 Configuration Files\n", "...\u003c/td\u003e\n", " \u003ctd\u003e0\n", "0 https:...\u003c/td\u003e\n", " \u003ctd\u003etype at...\u003c/td\u003e\n", " \u003ctd\u003eFalse\u003c/td\u003e\n", " \u003ctd\u003e\u003c/td\u003e\n", " \u003ctd\u003eNaN\u003c/td\u003e\n", " \u003ctd\u003eNaN\u003c/td\u003e\n", " \u003ctd\u003eNaN\u003c/td\u003e\n", " \u003ctd\u003eNaN\u003c/td\u003e\n", " \u003ctd\u003eNaN\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003c/tbody\u003e\n", "\u003c/table\u003e\n", "\u003c/div\u003e" ], "text/plain": [ " artifact.name artifact.doc artifact.supported_os \\\n", "0 APTSources APT package sources list 0\n", "0 Linux \n", "1 APTTrustKeys APT trusted keys 0\n", "0 Linux \n", "\n", " artifact.labels \\\n", "0 0\n", "0 Configuration Files\n", "... \n", "1 0\n", "0 Configuration Files\n", "... \n", "\n", " artifact.urls \\\n", "0 ... \n", "1 0\n", "0 https:... \n", "\n", " artifact.sources is_custom error_message \\\n", "0 type at... False \n", "1 type at... False \n", "\n", " dependencies artifact.provides path_dependencies processors \\\n", "0 NaN NaN NaN NaN \n", "1 NaN NaN NaN NaN \n", "\n", " artifact.conditions \n", "0 NaN \n", "1 NaN " ] }, "execution_count": 101, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "df = %grr_list_artifacts\n", "df[:2]" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "zbJDFj_zCBUW" }, "source": [ "To collect an artifact you just need to provide its name:" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 100 }, "colab_type": "code", "executionInfo": { "elapsed": 18412, "status": "ok", "timestamp": 1563452500762, "user_tz": -120 }, "id": "1lG6LFGmBykZ", "outputId": "501a8ccb-3a97-482f-bc35-dd0d08cbe8ef" }, "outputs": [ { "data": { "text/html": [ "\u003cdiv\u003e\n", "\u003cstyle scoped\u003e\n", " .dataframe tbody tr th:only-of-type {\n", " vertical-align: middle;\n", " }\n", "\n", " .dataframe tbody tr th {\n", " vertical-align: top;\n", " }\n", "\n", " .dataframe thead th {\n", " text-align: right;\n", " }\n", "\u003c/style\u003e\n", "\u003ctable border=\"1\" class=\"dataframe\"\u003e\n", " \u003cthead\u003e\n", " \u003ctr style=\"text-align: right;\"\u003e\n", " \u003cth\u003e\u003c/th\u003e\n", " \u003cth\u003est_mode\u003c/th\u003e\n", " \u003cth\u003est_mode.pretty\u003c/th\u003e\n", " \u003cth\u003est_ino\u003c/th\u003e\n", " \u003cth\u003est_dev\u003c/th\u003e\n", " \u003cth\u003est_nlink\u003c/th\u003e\n", " \u003cth\u003est_uid\u003c/th\u003e\n", " \u003cth\u003est_gid\u003c/th\u003e\n", " \u003cth\u003est_size\u003c/th\u003e\n", " \u003cth\u003est_atime\u003c/th\u003e\n", " \u003cth\u003est_mtime\u003c/th\u003e\n", " \u003cth\u003est_ctime\u003c/th\u003e\n", " \u003cth\u003est_blocks\u003c/th\u003e\n", " \u003cth\u003est_blksize\u003c/th\u003e\n", " \u003cth\u003est_rdev\u003c/th\u003e\n", " \u003cth\u003epathspec.pathtype\u003c/th\u003e\n", " \u003cth\u003epathspec.path\u003c/th\u003e\n", " \u003cth\u003epathspec.path_options\u003c/th\u003e\n", " \u003cth\u003est_flags_osx\u003c/th\u003e\n", " \u003cth\u003est_flags_linux\u003c/th\u003e\n", " \u003c/tr\u003e\n", " \u003c/thead\u003e\n", " \u003ctbody\u003e\n", " \u003ctr\u003e\n", " \u003cth\u003e0\u003c/th\u003e\n", " \u003ctd\u003e33188\u003c/td\u003e\n", " \u003ctd\u003e-rw-r--r--\u003c/td\u003e\n", " \u003ctd\u003e10094787\u003c/td\u003e\n", " \u003ctd\u003e65025\u003c/td\u003e\n", " \u003ctd\u003e1\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003e7\u003c/td\u003e\n", " \u003ctd\u003e1567107891\u003c/td\u003e\n", " \u003ctd\u003e1559242439\u003c/td\u003e\n", " \u003ctd\u003e1559242439\u003c/td\u003e\n", " \u003ctd\u003e8\u003c/td\u003e\n", " \u003ctd\u003e4096\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003eOS\u003c/td\u003e\n", " \u003ctd\u003e/etc/debian_version\u003c/td\u003e\n", " \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n", " \u003ctd\u003e0\u003c/td\u003e\n", " \u003ctd\u003e524288\u003c/td\u003e\n", " \u003c/tr\u003e\n", " \u003c/tbody\u003e\n", "\u003c/table\u003e\n", "\u003c/div\u003e" ], "text/plain": [ " st_mode st_mode.pretty st_ino st_dev st_nlink st_uid st_gid \\\n", "0 33188 -rw-r--r-- 10094787 65025 1 0 0 \n", "\n", " st_size st_atime st_mtime st_ctime st_blocks st_blksize \\\n", "0 7 1567107891 1559242439 1559242439 8 4096 \n", "\n", " st_rdev pathspec.pathtype pathspec.path pathspec.path_options \\\n", "0 0 OS /etc/debian_version CASE_LITERAL \n", "\n", " st_flags_osx st_flags_linux \n", "0 0 524288 " ] }, "execution_count": 102, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "%grr_collect \"DebianVersion\"" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "0FUF1BS3Ppc3" }, "source": [ "## Python API" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "tZxaN9N6UVBB" }, "source": [ "### Getting a client" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "UQTvcGcCR3be" }, "source": [ "Using Python API you can work with multiple clients simultaneously. You don't need to select a client to work with, instead you simply get a client object." ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "lAJq-J6gTH3M" }, "source": [ "Use `search` method to search for clients. You can specify `ip`, `mac`, `host`, `version`, `user`, and `labels` search criteria. As a result you will get a list of client objects so that you can pick one of them to work with." ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 34 }, "colab_type": "code", "executionInfo": { "elapsed": 620, "status": "ok", "timestamp": 1563356576380, "user_tz": -120 }, "id": "INyXrM3wSi32", "outputId": "74e78b51-3c46-47f6-e7e4-dbd252bf64b8" }, "outputs": [ { "data": { "text/plain": [ "\n", "🌕 C.dc3782aeab2c5b4c @ admin.example.com (0 seconds ago)\n" ] }, "execution_count": 103, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "clients = grr_colab.Client.search(user='admin')\n", "clients" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": {}, "colab_type": "code", "id": "PMIje4W4Dy5t", "outputId": "f93856ed-be9d-49f3-f0ce-7b03df02fd8b" }, "outputs": [ { "data": { "text/plain": [ "'C.dc3782aeab2c5b4c'" ] }, "execution_count": 104, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "clients[0].id" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "UR074CCKTurM" }, "source": [ "If you know a client ID or a hostname (in case there is one client installed for this hostname) you can get a client object using one of these values:" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": {}, "colab_type": "code", "id": "oBz7EKBbUERS" }, "outputs": [], "source": [ "client = grr_colab.Client.with_id('C.dc3782aeab2c5b4c')" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "GgNPa8zrUX5y" }, "source": [ "### Client properties" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "Wwq0GnL8UhpZ" }, "source": [ "There is a bunch of simple client properties to get some info about the client. Unlike magic API this API returns objects but not dataframes for non-primitive values." ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "ra5NHgoGVqce" }, "source": [ "Getting the client ID:" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 34 }, "colab_type": "code", "executionInfo": { "elapsed": 217, "status": "ok", "timestamp": 1563356841291, "user_tz": -120 }, "id": "q1QE6IASUZ0r", "outputId": "bd94c35f-8b99-496a-9f1b-00efb9c304aa" }, "outputs": [ { "data": { "text/plain": [ "'C.dc3782aeab2c5b4c'" ] }, "execution_count": 106, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "client.id" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "YBUB2Bn8Vsty" }, "source": [ "Getting the client hostname:" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": {}, "colab_type": "code", "id": "ctITVSuqVFK3" }, "outputs": [], "source": [ "client.hostname" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "hTVNy_S9Vwku" }, "source": [ "Getting network interfaces info:" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 408 }, "colab_type": "code", "executionInfo": { "elapsed": 33, "status": "ok", "timestamp": 1563356862288, "user_tz": -120 }, "id": "dOx5QunTVIAo", "outputId": "233e1b70-de45-469a-b915-62092ebe1ddf" }, "outputs": [ { "data": { "text/plain": [ "\n", "lo (MAC: 00:00:00:00:00:00):\n", " inet 127.0.0.1\n", " inet6 ::1\n" ] }, "execution_count": 107, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "client.ifaces[1:]" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": {}, "colab_type": "code", "id": "VigPSVFqDy56", "outputId": "ee349d0c-321c-4212-92e1-d3b9200eceb3" }, "outputs": [ { "data": { "text/plain": [ "'lo'" ] }, "execution_count": 108, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "client.ifaces[1].ifname" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "MN1zFXBvV8n9" }, "source": [ "This is a collection of interface objects so you can iterate over it and access interface object fields:" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 51 }, "colab_type": "code", "executionInfo": { "elapsed": 234, "status": "ok", "timestamp": 1563357064241, "user_tz": -120 }, "id": "FYAMPSyIV0C4", "outputId": "324b08df-f6d2-486a-ff77-01ec205cb249" }, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "enp0s31f6\n", "lo\n" ] } ], "source": [ "for iface in client.ifaces:\n", " print(iface.ifname)" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "vkUrPv2YWqz0" }, "source": [ "Getting the knowledge base for the client:" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "rlgz-w8EWg_M" }, "source": [ "You can also access its fields:" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 34 }, "colab_type": "code", "executionInfo": { "elapsed": 234, "status": "ok", "timestamp": 1563357188321, "user_tz": -120 }, "id": "jHNACm1lWHTs", "outputId": "46b6ee43-d591-455d-d497-e882edca55c9" }, "outputs": [ { "data": { "text/plain": [ "'Debian GNU/Linux'" ] }, "execution_count": 110, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "client.knowledgebase\n", "client.knowledgebase.os_release" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "qthHpFbGW1cq" }, "source": [ "Getting an architecture of a machine that client runs on:" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 34 }, "colab_type": "code", "executionInfo": { "elapsed": 213, "status": "ok", "timestamp": 1563356907396, "user_tz": -120 }, "id": "lmBZpKH-VSZ2", "outputId": "72d89df9-71cd-4208-9777-d5ede70ec9cf" }, "outputs": [ { "data": { "text/plain": [ "'x86_64'" ] }, "execution_count": 111, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "client.arch" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "_tXx5na7W8gy" }, "source": [ "Getting kernel version string: " ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 34 }, "colab_type": "code", "executionInfo": { "elapsed": 54, "status": "ok", "timestamp": 1563356919015, "user_tz": -120 }, "id": "dU2CEbVcVU6f", "outputId": "61944428-0746-4f3a-c934-6b0f9aff295c" }, "outputs": [ { "data": { "text/plain": [ "'4.19.37-5rodete4-amd64'" ] }, "execution_count": 112, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "client.kernel" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "_0h8UfD1XCkc" }, "source": [ "Getting a list of labels that are associated with this client:" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 34 }, "colab_type": "code", "executionInfo": { "elapsed": 36, "status": "ok", "timestamp": 1563356930860, "user_tz": -120 }, "id": "HrqjDLM4VYAL", "outputId": "595d0e5f-a856-4208-eb4e-780145e4eece" }, "outputs": [ { "data": { "text/plain": [ "[]" ] }, "execution_count": 113, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "client.labels" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "a98GE9WeXI-D" }, "source": [ "First seen and last seen times are saved as datetime objects:" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 34 }, "colab_type": "code", "executionInfo": { "elapsed": 29, "status": "ok", "timestamp": 1563356947421, "user_tz": -120 }, "id": "vh6jxsIHVcRP", "outputId": "76c53d58-8016-4841-f1da-bb868748a3dc" }, "outputs": [ { "data": { "text/plain": [ "datetime.datetime(2019, 8, 15, 11, 34, 17, 656692)" ] }, "execution_count": 114, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "client.first_seen" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 34 }, "colab_type": "code", "executionInfo": { "elapsed": 28, "status": "ok", "timestamp": 1563356958670, "user_tz": -120 }, "id": "PMC3gVbwVfe2", "outputId": "d7661278-23e1-4d34-c4d0-87606c9e4c50" }, "outputs": [ { "data": { "text/plain": [ "datetime.datetime(2019, 8, 30, 10, 5, 49, 102492)" ] }, "execution_count": 115, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "client.last_seen" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "JLzwWPePXZBS" }, "source": [ "### Requesting approvals" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "5-cnTvfWXgmX" }, "source": [ "As in magics API here you also need to request an approval before running flows on a client. To do this simply call `request_approval` method providing a reason for the approval and list of approvers." ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": {}, "colab_type": "code", "id": "nHLtlu7PX1CD", "scrolled": true }, "outputs": [], "source": [ "client.request_approval(approvers=['admin'], reason='Test reason')" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "2ykwCkRjX9ZJ" }, "source": [ "This method does not wait until the approval is granted. If you need to wait, use `request_approval_and_wait` method that has the same signature." ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "Ti7tTi8IYJ-_" }, "source": [ "### Running flows" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "wb6n7X3oYdL3" }, "source": [ "To set the flow timeout use `set_flow_timeout` function. 30 seconds is the default value. 0 means exit immediately after the flow started. You can also reset timeout and set it to a default value of 30 seconds." ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": {}, "colab_type": "code", "id": "c8-ofGIRYzkH" }, "outputs": [], "source": [ "# Wait forever\n", "grr_colab.set_no_flow_timeout()\n", "\n", "# Exit immediately\n", "grr_colab.set_flow_timeout(0)\n", "\n", "# Wait for one minute\n", "grr_colab.set_flow_timeout(60)\n", "\n", "#Wait for 30 seconds\n", "grr_colab.set_default_flow_timeout()" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "XKajEW473B_z" }, "source": [ "Below are examples of flows that you can run." ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "oX2zBLSS2o6A" }, "source": [ "Interrogating a client:" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 952 }, "colab_type": "code", "executionInfo": { "elapsed": 31837, "status": "ok", "timestamp": 1563358052784, "user_tz": -120 }, "id": "G1SUGwIfZC0T", "outputId": "37b3cab8-3014-4c87-d8bb-3d58de97f20f" }, "outputs": [ { "data": { "text/plain": [ "'Linux'" ] }, "execution_count": 116, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "summary = client.interrogate()\n", "summary.system_info.system" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "fAy4VPjE27zB" }, "source": [ "Listing processes on a client:" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 442 }, "colab_type": "code", "executionInfo": { "elapsed": 16644, "status": "ok", "timestamp": 1563357975113, "user_tz": -120 }, "id": "NDJSC-E6ZJJI", "outputId": "71c09e77-0f6f-4339-dceb-f17c8fff8709" }, "outputs": [ { "data": { "text/plain": [ "\n", " PID USER NI VIRT RES S CPU% MEM% Command\n", " 1 root 0 220M 9M S 0.0 0.0 /usr/lib/systemd/systemd\n" ] }, "execution_count": 120, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "ps = client.ps()\n", "ps[:1]" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 34 }, "colab_type": "code", "executionInfo": { "elapsed": 252, "status": "ok", "timestamp": 1563358081333, "user_tz": -120 }, "id": "Ar5LbaiTZqSf", "outputId": "2a5a9616-0bf2-493a-efb7-d600c87234bc" }, "outputs": [ { "data": { "text/plain": [ " 1 root 0 220M 9M S 0.0 0.0 /usr/lib/systemd/systemd" ] }, "execution_count": 118, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "ps[0]" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": {}, "colab_type": "code", "id": "HK2YtZSgDy6a", "outputId": "08b89532-6b63-424e-e7fb-46d6027f0390" }, "outputs": [ { "data": { "text/plain": [ "'/usr/lib/systemd/systemd'" ] }, "execution_count": 119, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "ps[0].exe" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "OHQ49Ydu3Kfo" }, "source": [ "Listing files in a directory. Here you need to provide the absolute path to the directory because there is no state." ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 85 }, "colab_type": "code", "executionInfo": { "elapsed": 16571, "status": "ok", "timestamp": 1563358160271, "user_tz": -120 }, "id": "pwV4LY3YZMnJ", "outputId": "813cddcd-bab4-4553-adcd-88184515bcfb" }, "outputs": [ { "data": { "text/plain": [ "\n", "/tmp/foo/baz\n", " 📂 dir1 (drwxr-xr-x /tmp/foo/baz/dir1, 4.0 KiB)\n", " 📂 dir2 (drwxr-xr-x /tmp/foo/baz/dir2, 4.0 KiB)\n", " 📄 file1 (-rw-r--r-- /tmp/foo/baz/file1, 70 Bytes)\n", " 📄 file2 (-rw-r--r-- /tmp/foo/baz/file2, 23 Bytes)\n" ] }, "execution_count": 121, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "files = client.ls('/tmp/foo/baz')\n", "files" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": {}, "colab_type": "code", "id": "Dkl-_mFMDy6i", "outputId": "c9840a09-4df5-4801-8ee4-4f1d0ba7996b" }, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "/tmp/foo/baz/dir1\n", "/tmp/foo/baz/dir2\n", "/tmp/foo/baz/file1\n", "/tmp/foo/baz/file2\n" ] } ], "source": [ "for f in files:\n", " print(f.pathspec.path)" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "2frjg9N73UUD" }, "source": [ "Recursive listing of a directory is also possible. To do this specify the max depth of the recursion." ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 102 }, "colab_type": "code", "executionInfo": { "elapsed": 16436, "status": "ok", "timestamp": 1563358181522, "user_tz": -120 }, "id": "G59cw2SaaDsA", "outputId": "d9bed6bd-c156-4144-a893-6c230799c172" }, "outputs": [ { "data": { "text/plain": [ "\n", "/tmp/foo\n", " 📂 bar (drwxr-xr-x /tmp/foo/bar, 4.0 KiB)\n", " 📂 baz (drwxr-xr-x /tmp/foo/baz, 4.0 KiB)\n", " 📂 dir1 (drwxr-xr-x /tmp/foo/baz/dir1, 4.0 KiB)\n", " 📂 dir2 (drwxr-xr-x /tmp/foo/baz/dir2, 4.0 KiB)\n", " 📂 dir3 (drwxr-xr-x /tmp/foo/baz/dir2/dir3, 4.0 KiB)\n", " 📄 file1 (-rw-r--r-- /tmp/foo/baz/file1, 70 Bytes)\n", " 📄 file2 (-rw-r--r-- /tmp/foo/baz/file2, 23 Bytes)\n" ] }, "execution_count": 125, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "files = client.ls('/tmp/foo', max_depth=3)\n", "files" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": {}, "colab_type": "code", "id": "gRx6MkL2Dy6o", "outputId": "52a15c47-b534-4581-b80c-1feeef35f4eb" }, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "/tmp/foo/bar\n", "/tmp/foo/baz\n", "/tmp/foo/baz/dir1\n", "/tmp/foo/baz/dir2\n", "/tmp/foo/baz/file1\n", "/tmp/foo/baz/file2\n", "/tmp/foo/baz/dir2/dir3\n" ] } ], "source": [ "for f in files:\n", " print(f.pathspec.path)" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "DcUbrQ4w3g9y" }, "source": [ "Globbing files:" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 51 }, "colab_type": "code", "executionInfo": { "elapsed": 16575, "status": "ok", "timestamp": 1563358222405, "user_tz": -120 }, "id": "4UicyWmjaOAk", "outputId": "e778d8c2-9c30-4d7d-be9b-8fc1d958d196" }, "outputs": [ { "data": { "text/plain": [ "\n", "/tmp/foo/baz\n", " 📄 file1 (-rw-r--r-- /tmp/foo/baz/file1, 70 Bytes)\n", " 📄 file2 (-rw-r--r-- /tmp/foo/baz/file2, 23 Bytes)\n" ] }, "execution_count": 127, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "files = client.glob('/tmp/foo/baz/file*')\n", "files" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "ExX3Ov9N3m3I" }, "source": [ "Grepping files with regular expressions:" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 85 }, "colab_type": "code", "executionInfo": { "elapsed": 16351, "status": "ok", "timestamp": 1563358382713, "user_tz": -120 }, "id": "tAua-e_tacHx", "outputId": "3b5fb133-e180-4dad-ca3a-1fb73d58ce85" }, "outputs": [ { "data": { "text/plain": [ "\n", "/tmp/foo/baz/file1:18-22: b'line'\n", "/tmp/foo/baz/file1:42-46: b'line'\n", "/tmp/foo/baz/file1:65-69: b'LINE'\n", "/tmp/foo/baz/file2:18-22: b'line'\n" ] }, "execution_count": 128, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "matches = client.grep(path='/tmp/foo/baz/file*', pattern=b'line')\n", "matches" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": {}, "colab_type": "code", "id": "NJANTWu4Dy6u", "outputId": "76c6b4fd-b8f4-4811-fe3d-32d3952ec580" }, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "/tmp/foo/baz/file1 18 b'line'\n", "/tmp/foo/baz/file1 42 b'line'\n", "/tmp/foo/baz/file1 65 b'LINE'\n", "/tmp/foo/baz/file2 18 b'line'\n" ] } ], "source": [ "for match in matches:\n", " print(match.pathspec.path, match.offset, match.data)" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": {}, "colab_type": "code", "id": "5yCGdGnZ98cc", "outputId": "7a763eb2-49a8-42e6-f0d2-c69f551484a5" }, "outputs": [ { "data": { "text/plain": [ "\n", "/tmp/foo/baz/file1:18-22: b'line'\n", "/tmp/foo/baz/file1:42-46: b'line'\n", "/tmp/foo/baz/file1:65-69: b'LINE'\n", "/tmp/foo/baz/file2:18-22: b'line'\n" ] }, "execution_count": 130, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "matches = client.grep(path='/tmp/foo/baz/file*', pattern=b'\\x6c\\x69\\x6e\\x65')\n", "matches" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "TZoM_ZNx3so6" }, "source": [ "Grepping files by exact match:" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 68 }, "colab_type": "code", "executionInfo": { "elapsed": 16559, "status": "ok", "timestamp": 1563358405056, "user_tz": -120 }, "id": "NNGjua_Ka543", "outputId": "dde49bcf-e072-4af8-a79e-7438d58e7555" }, "outputs": [ { "data": { "text/plain": [ "\n", "/tmp/foo/baz/file1:18-22: b'line'\n", "/tmp/foo/baz/file1:42-46: b'line'\n", "/tmp/foo/baz/file2:18-22: b'line'\n" ] }, "execution_count": 131, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "matches = client.fgrep(path='/tmp/foo/baz/file*', literal=b'line')\n", "matches" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "H60dvwkjXe6r" }, "source": [ "Downloading files:" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 34 }, "colab_type": "code", "executionInfo": { "elapsed": 284, "status": "ok", "timestamp": 1564582209938, "user_tz": -120 }, "id": "xWv7F8b-Xbzz", "outputId": "98f1315b-0f1f-49d2-cbcb-2d4e3e3e9916" }, "outputs": [ { "data": { "text/plain": [ "'http://localhost:8000//api/clients/C.dc3782aeab2c5b4c/vfs-blob/fs/os/tmp/foo/baz/file1'" ] }, "execution_count": 132, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "client.wget('/tmp/foo/baz/file1')" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "IZIu38l13wUx" }, "source": [ "Osquerying a client:" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 119 }, "colab_type": "code", "executionInfo": { "elapsed": 16466, "status": "ok", "timestamp": 1563368233299, "user_tz": -120 }, "id": "JCoU2YTnvpUc", "outputId": "7f7cb21c-a3e2-40f1-8868-ed3916fc514f" }, "outputs": [ { "data": { "text/plain": [ " name nice pid\n", "0 systemd 0 1\n", "1 kthreadd 0 2\n", "2 rcu_gp -20 3\n", "3 rcu_par_gp -20 4" ] }, "execution_count": 133, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "table = client.osquery('SELECT pid, name, nice FROM processes WHERE pid \u003c 5')\n", "table" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": {}, "colab_type": "code", "id": "tXKsEr76Dy62", "outputId": "1e32ca68-ef3f-42b7-e4a5-cef3f37bd57d" }, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ " name nice pid\n", "--------------------------------\n", " systemd 0 1\n", " kthreadd 0 2\n", " rcu_gp -20 3\n", "rcu_par_gp -20 4\n" ] } ], "source": [ "header = ' '.join(str(col.name).rjust(10) for col in table.header.columns)\n", "print(header)\n", "print('-' * len(header))\n", "for row in table.rows:\n", " print(' '.join(map(lambda _: _.rjust(10), row.values)))" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "EFHaqizjDy63" }, "source": [ "Listing artifacts:" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 527 }, "colab_type": "code", "executionInfo": { "elapsed": 9287, "status": "ok", "timestamp": 1564580841033, "user_tz": -120 }, "id": "2KDileozYb1O", "outputId": "3da7ecbe-0385-4def-e35f-a338f018f40e" }, "outputs": [ { "data": { "text/plain": [ "artifact {\n", " name: \"APTSources\"\n", " doc: \"APT package sources list\"\n", " labels: \"Configuration Files\"\n", " labels: \"System\"\n", " supported_os: \"Linux\"\n", " urls: \"http://manpages.ubuntu.com/manpages/trusty/en/man5/sources.list.5.html\"\n", " sources {\n", " type: FILE\n", " attributes {\n", " dat {\n", " k {\n", " string: \"paths\"\n", " }\n", " v {\n", " list {\n", " content {\n", " string: \"/etc/apt/sources.list\"\n", " }\n", " content {\n", " string: \"/etc/apt/sources.list.d/*.list\"\n", " }\n", " }\n", " }\n", " }\n", " }\n", " }\n", "}\n", "is_custom: false\n", "error_message: \"\"" ] }, "execution_count": 135, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "artifacts = grr_colab.list_artifacts()\n", "artifacts[0]" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "MCJoqe-E30Vl" }, "source": [ "To collect an artifact you just need to provide its name:" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 357 }, "colab_type": "code", "executionInfo": { "elapsed": 16302, "status": "ok", "timestamp": 1563365626678, "user_tz": -120 }, "id": "tMh1H5M6yJdo", "outputId": "cb6771af-94dd-49c0-b911-638c8e0751c9" }, "outputs": [ { "data": { "text/plain": [ "[📄 debian_version (-rw-r--r-- /etc/debian_version, 7 Bytes)]" ] }, "execution_count": 136, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "client.collect('DebianVersion')" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "adbukHZFUOmJ" }, "source": [ "Running YARA:" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 428 }, "colab_type": "code", "executionInfo": { "elapsed": 108368, "status": "ok", "timestamp": 1564581866783, "user_tz": -120 }, "id": "Jl_2cg4cCNUk", "outputId": "400c013f-838a-4e99-8e67-4fa887e18f74" }, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "63438 python3\n" ] } ], "source": [ "import os \n", "\n", "pid = os.getpid()\n", "data = \"dadasdasdasdjaskdakdaskdakjdkjadkjakjjdsgkngksfkjadsjnfandankjd\"\n", "rule = 'rule TextExample {{ strings: $text_string = \"{data}\" condition: $text_string }}'.format(data=data)\n", "\n", "matches = client.yara(rule, pids=[pid])\n", "print(matches[0].process.pid, matches[0].process.name)" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "taRBdrE22kWA" }, "source": [ "### Working with files" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "Tn4htZOW4Rhq" }, "source": [ "You can read and seek files interacting with them like fith usual python files." ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 51 }, "colab_type": "code", "executionInfo": { "elapsed": 16589, "status": "ok", "timestamp": 1563366486663, "user_tz": -120 }, "id": "Zfx83xG25e3T", "outputId": "98f4d556-6118-4fd2-e39b-f2ddd1ca0e9f" }, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "b'This is the first line\\n'\n" ] } ], "source": [ "with client.open('/tmp/foo/baz/file1') as f:\n", " print(f.readline())" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 119 }, "colab_type": "code", "executionInfo": { "elapsed": 16371, "status": "ok", "timestamp": 1563366503147, "user_tz": -120 }, "id": "bihgVIh85qMA", "outputId": "0488de5f-a7b8-41b2-f553-fc7f82b1105e" }, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "b'This is the first line\\n'\n", "b'This is the second line\\n'\n", "b'This is the third LINE\\n'\n" ] } ], "source": [ "with client.open('/tmp/foo/baz/file1') as f:\n", " for line in f:\n", " print(line)" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 119 }, "colab_type": "code", "executionInfo": { "elapsed": 425, "status": "ok", "timestamp": 1564582106587, "user_tz": -120 }, "id": "UTi6l-Mc51LR", "outputId": "076d95d4-4073-4c0d-821a-d23f4f858bb0" }, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "b'This is the first line'\n", "b'This is the first line'\n", "b'\\nThis is the second line\\nThis is the third LINE\\n'\n" ] } ], "source": [ "with client.open('/tmp/foo/baz/file1') as f:\n", " print(f.read(22))\n", " f.seek(0)\n", " print(f.read(22))\n", " print(f.read())" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "KC_6MOF235UG" }, "source": [ "### Cached data" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "Huy_FSnI6QOH" }, "source": [ "To fetch server cached data use `cached` property of a client object." ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "lBvLrG_T6YXr" }, "source": [ "You can list files in directory (recursively also) and read and download files as above:" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 85 }, "colab_type": "code", "executionInfo": { "elapsed": 777, "status": "ok", "timestamp": 1563366889118, "user_tz": -120 }, "id": "PFdhZ8TA7HUW", "outputId": "75c2aa98-3e28-4440-85d8-1725b5bc7aaf" }, "outputs": [ { "data": { "text/plain": [ "\n", "/tmp/foo/baz\n", " 📂 dir1 (drwxr-xr-x /tmp/foo/baz/dir1, 4.0 KiB)\n", " 📂 dir2 (drwxr-xr-x /tmp/foo/baz/dir2, 4.0 KiB)\n", " 📄 file1 (-rw-r--r-- /tmp/foo/baz/file1, 70 Bytes)\n", " 📄 file2 (-rw-r--r-- /tmp/foo/baz/file2, 23 Bytes)\n" ] }, "execution_count": 143, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "files = client.cached.ls('/tmp/foo/baz')\n", "files" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 102 }, "colab_type": "code", "executionInfo": { "elapsed": 1693, "status": "ok", "timestamp": 1563366892304, "user_tz": -120 }, "id": "J-BueDOJ7N8D", "outputId": "1c40cc1d-140f-423b-bea2-9a97644ea864" }, "outputs": [ { "data": { "text/plain": [ "\n", "/tmp/foo/baz\n", " 📂 dir1 (drwxr-xr-x /tmp/foo/baz/dir1, 4.0 KiB)\n", " 📂 dir2 (drwxr-xr-x /tmp/foo/baz/dir2, 4.0 KiB)\n", " 📂 dir3 (drwxr-xr-x /tmp/foo/baz/dir2/dir3, 4.0 KiB)\n", " 📄 file1 (-rw-r--r-- /tmp/foo/baz/file1, 70 Bytes)\n", " 📄 file2 (-rw-r--r-- /tmp/foo/baz/file2, 23 Bytes)\n" ] }, "execution_count": 144, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "files = client.cached.ls('/tmp/foo/baz', max_depth=2)\n", "files" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 119 }, "colab_type": "code", "executionInfo": { "elapsed": 463, "status": "ok", "timestamp": 1563366897538, "user_tz": -120 }, "id": "jgDgLoTp7XjK", "outputId": "3b9e7ce6-be3d-4a41-8a3d-3b5793a34a3c" }, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "b'This is the first line\\n'\n", "b'This is the second line\\n'\n", "b'This is the third LINE\\n'\n" ] } ], "source": [ "with client.cached.open('/tmp/foo/baz/file1') as f:\n", " for line in f:\n", " print(line)" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": { "height": 34 }, "colab_type": "code", "executionInfo": { "elapsed": 553, "status": "ok", "timestamp": 1564582151558, "user_tz": -120 }, "id": "r38OpE5yXJyj", "outputId": "0351711c-86bf-4dd8-b487-c5844a373e38" }, "outputs": [ { "data": { "text/plain": [ "'http://localhost:8000//api/clients/C.dc3782aeab2c5b4c/vfs-blob/fs/os/tmp/foo/baz/file1'" ] }, "execution_count": 146, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "client.cached.wget('/tmp/foo/baz/file1')" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "oNcKjnfU7c2G" }, "source": [ "You can also refresh filesystem metadata that is cached on the server by calling `refresh` method (that will refresh the contents of the directory and not its subdirectories):" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": {}, "colab_type": "code", "id": "NexQ7-Zr7wYd" }, "outputs": [], "source": [ "client.cached.refresh('/tmp/foo/baz')" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "r-X01rJk8A0c" }, "source": [ "To refresh a directory recursively specify `max_depth` parameter:" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": {}, "colab_type": "code", "id": "jOTJy6AR8AjG" }, "outputs": [], "source": [ "client.cached.refresh('/tmp/foo/baz', max_depth=2)" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": {}, "colab_type": "code", "id": "by_SZCm498c6" }, "outputs": [], "source": [ "### Path types" ] }, { "cell_type": "markdown", "metadata": { "colab_type": "text", "id": "L7w69_-ADy7J" }, "source": [ "To specify path type, just use one of the client properties: `client.os` (the same as just using `client`), `client.tsk`, `client.ntfs`, `client.registry`." ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": {}, "colab_type": "code", "id": "cY4dHk3pDy7J", "outputId": "c5c8da58-db51-462c-d580-bc27feafe7f0" }, "outputs": [ { "data": { "text/plain": [ "\n", "/tmp/foo\n", " 📂 bar (drwxr-xr-x /tmp/foo/bar, 4.0 KiB)\n", " 📂 baz (drwxr-xr-x /tmp/foo/baz, 4.0 KiB)\n" ] }, "execution_count": 147, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "client.os.ls('/tmp/foo')" ] }, { "cell_type": "code", "execution_count": 0, "metadata": { "colab": {}, "colab_type": "code", "id": "Lr70KD58Dy7K", "outputId": "7fbba4df-1cb2-4a01-e677-0059f50c9755" }, "outputs": [ { "data": { "text/plain": [ "\n", "/tmp/foo\n", " 📂 bar (drwxr-xr-x /tmp/foo/bar, 4.0 KiB)\n", " 📂 baz (drwxr-xr-x /tmp/foo/baz, 4.0 KiB)\n" ] }, "execution_count": 148, "metadata": { "tags": [] }, "output_type": "execute_result" } ], "source": [ "client.os.cached.ls('/tmp/foo')" ] } ], "metadata": { "colab": { "collapsed_sections": [], "last_runtime": { "build_target": "", "kind": "local" }, "name": "GRR Colab API.ipynb", "provenance": [], "version": "0.3.2" }, "kernelspec": { "display_name": "Python 3", "language": "python", "name": "python3" }, "language_info": { "codemirror_mode": { "name": "ipython", "version": 3 }, "file_extension": ".py", "mimetype": "text/x-python", "name": "python", "nbconvert_exporter": "python", "pygments_lexer": "ipython3", "version": "3.7.4" } }, "nbformat": 4, "nbformat_minor": 0 }