Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Tech tip: Invoke a system command in R - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Tech tip: Invoke a system command in R

I spend a lot of time using R, the programming language and software environment for statistical computing and graphics. It's incredibly useful for visualization and analysis, consider Data-Driven Security as a great starting point and reference, along with this article, if you're further interested. 

One of my recent discoveries (I'm new to R use, a terrible programmer and a worse statistician), is the use of system to invoke the OS command specified. As an example, I love Log Parser and often use it to parse or write out log events to CSV. Once in CSV they can be transformed and analyzed further in so many ways. One of the great things about R is the ability to ingest CSV and apply statical or visual methods to the data. With system, in two lines I can call Log Parser, pull the Windows security event log, write it to CSV, and create a data frame out of it that I can then do any number of other cool things with. Note: to pull the Windows security event log you need to be running with elevated privilege and need to run R as admin for this example scenario.

In short:

Set a working directory: setwd("D:/coding/R/EventVizWork")
Call Log Parser with system: system('logparser "Select * into security.csv from Security" -i:evt -o:csv')

Elements processed: 112155
Elements output:    112155
Execution time:     26.80 seconds

Read the results into a data frame: secevtlog <- read.csv("security.csv")

Tomorrow I'll show you what we can do with it. :-)

Russ McRee | @holisticinfosec



Russ McRee

204 Posts
ISC Handler
Jul 31st 2015

Sign Up for Free or Log In to start participating in the conversation!