Added utility reference

docs/README.md

@@ -9,7 +9,11 @@ Copied from [corelight/bro-cheatsheets](https://github.com/corelight/bro-cheatsh
 
 Copyright [Corelight, Inc](https://www.corelight.com/)
 
+## Useful-Command-Line-Utilities.pdf and useful_cli_utilities.txt
+Descriptions of a couple command-line test processing utilities which are useful for looking at Bro logs.  This info is taken directly from the workshop slides, but included here as it may be useful as a references for some of the exercises.
+
 ## bro-cheat-sheet.pdf
 This one deals almost entirely with Bro command line arguments and scripting.  It may come in handy for Exercise 3 in particular when you start modifying and writing your own scripts.
 
-Copied from [bro/cheatsheet](https://github.com/bro/cheat-sheet) and redistributed via [Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported ](https://creativecommons.org/licenses/by-nc-sa/3.0/)license.
+Copied from [bro/cheatsheet](https://github.com/bro/cheat-sheet) and redistributed via [Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported ](https://creativecommons.org/licenses/by-nc-sa/3.0/) license
+

docs/useful_cli_utilities.txt

@@ -0,0 +1,31 @@
+The Pipe Operator
+*	Output of one command is fed into the input of the next
+*	Can thinking of it as a filtering and aggregation pipeline
+*	In most cases here the first command will be reading from a Bro log file
+
+sudo dmesg | less
+
+grep
+*	Search for a string in the input
+*	-v inverts the search, printing things that don't contain the string
+
+cat conn.log | grep dns
+
+bro-cut
+*	Specify a subset of a bro log
+*	Can reorder fields
+*	-d converts timestamps to human-readable (but timestamp field must be included)
+
+cat conn.log | bro-cut uid missed_bytes
+
+sort
+*	Sort the rows of the input
+*	-r for reverse, -n for numbers
+
+cat conn.log | bro-cut missed_bytes uid | sort -n
+
+uniq
+*	Remove adjacent duplicated lines
+*	-c counts the number of occurrences
+
+cat dns.log | bro-cut query | sort | uniq -c