-
Notifications
You must be signed in to change notification settings - Fork 19
/
Copy pathgeneral.cheat
118 lines (75 loc) · 2.35 KB
/
general.cheat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
% general
# Read file line by line
while IFS= read -r line; do echo "$line"; done < "<inputfile>"
# Go to a recently visited directory (e.g. /host/opt/zeek/logs) #tip
g logs
# Go to the host filesystem #tip
g /host
# Not a fan of Vim or Emacs? Try a modern alternative to nano #tip
micro
# Determine when an IP or domain has ever been seen in the past #tip
fd conn | xargs ug -Flz <search string>
% timestamp
# Convert timestamp to date #tip
chop ts | ts2
# Convert timestamp column to date #tip
cols ts ts2
# Convert timestamp column
cols <column> ts2 <period>
$ column: echo ts
$ period: printf 'day\nhour\nminute\nsecond\nnanosecond\n'
% plot
@ timestamp
# Show a bar graph of count per day #tip
chop ts | ts2 | freq | plot-bar Date
# Show a bar graph of count per time period
chop ts | ts2 <period> | freq | plot-bar <period>
% zeek
# Convert Zeek to CSV (alias) #tip
z2c
# Convert Zeek to regular TSV (alias) #tip
z2t
# Convert Zeek to JSON (alias) #tip
z2j
# Convert Zeek to Zeek TSV (alias) #tip
z2z
# Display Zeek logs in an scrollable table #tip
zv
# Convert Zeek to regular TSV
sed -e '0,/^#fields\t/s///' | grep -v '^#'
# Detect DNS tunneling #tip
filter --dns | chop query | distinct | domain | mfo 20
% chop
# Common DNS fields
chop id.orig_h id.resp_h id.resp_p query answers
# Common SSL fields
chop id.orig_h id.resp_h server_name
# Common HTTP fields
chop id.orig_h id.resp_h host
# Common Conn fields
chop id.orig_h id.resp_h id.resp_p conn_state orig_bytes resp_bytes
% helpers
# Skip lines (1 by default); replaces `tail -n +2` #tip
skip
# Most Frequent Occurrence; replaces `sort | uniq -c | sort -nr` #tip
mfo
# Get the top 25 most frequent results #tip
mfo 25
# Least Frequent Occurrence; replaces `sort | uniq -c | sort -n` #tip
lfo
# Get the top 25 least frequent results #tip
lfo 25
# Number of distinct elements (`card`inality); replaces `sort | uniq | wc -l` #tip
card
# Find distinct elements; replaces `sort | uniq` #tip
distinct
# Uniq a file leaving first line (header) in place #tip
{ IFS= read -r header; echo -n "$header" ; distinct ; }
# Strip subdomains from list of domains #tip
domain
# Strip up to 3rd level domain from list of domains #tip
domain 3
# Turn a list of IPv4 addresses into class C subnets #tip
cat ips.txt | rev | domain 3 | rev | distinct
# Perform WHOIS queries on a list of IPs #tip
cat ips.txt | whois-bulk