-
Notifications
You must be signed in to change notification settings - Fork 19
/
Copy pathzq.cheat
28 lines (19 loc) · 1.69 KB
/
zq.cheat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
% zq, partial
# Only outbound traffic (int->ext)
z2z '(local_orig == true and local_resp == false)'
# Only outbound traffic by cidr (int->ext)
z2z '((cidr_match(192.168.0.0/16, id.orig_h) or cidr_match(172.16.0.0/12, id.orig_h) or cidr_match(172.16.0.0/12, id.orig_h)) and not (cidr_match(192.168.0.0/16, id.resp_h) or cidr_match(172.16.0.0/12, id.resp_h) or cidr_match(172.16.0.0/12, id.resp_h)))'
# Only inbound traffic (ext->int)
z2z '(local_orig == false and local_resp == true)'
# Only inbound traffic by cidr (ext->int)
z2z '(not (cidr_match(192.168.0.0/16, id.orig_h) or cidr_match(172.16.0.0/12, id.orig_h) or cidr_match(172.16.0.0/12, id.orig_h)) and (cidr_match(192.168.0.0/16, id.resp_h) or cidr_match(172.16.0.0/12, id.resp_h) or cidr_match(172.16.0.0/12, id.resp_h)))'
# Only local traffic (int<->int)
z2z '(local_orig == true and local_resp == true)'
# Only local traffic by cidr (int<->int)
z2z '((cidr_match(192.168.0.0/16, id.orig_h) or cidr_match(172.16.0.0/12, id.orig_h) or cidr_match(172.16.0.0/12, id.orig_h)) and (cidr_match(192.168.0.0/16, id.resp_h) or cidr_match(172.16.0.0/12, id.resp_h) or cidr_match(172.16.0.0/12, id.resp_h)))'
# Only remote traffic (ext<->ext)
z2z '(local_orig == false and local_resp == false)'
# Only remote traffic by cidr (ext<->ext)
z2z '(not (cidr_match(192.168.0.0/16, id.orig_h) or cidr_match(172.16.0.0/12, id.orig_h) or cidr_match(172.16.0.0/12, id.orig_h)) and not (cidr_match(192.168.0.0/16, id.resp_h) or cidr_match(172.16.0.0/12, id.resp_h) or cidr_match(172.16.0.0/12, id.resp_h)))'
# Calculate PCR
z2z 'sum_orig=sum(orig_bytes:int64),sum_resp=sum(resp_bytes:int64) by src=id.orig_h,dst=id.resp_h | put pcr=(sum_orig-sum_resp)/(sum_orig+sum_resp+0.001)'