From 119acc8e583f2eb2675ddf07f7cc688e2f25ea1c Mon Sep 17 00:00:00 2001 From: Baza-86 <34928421+Baza-86@users.noreply.github.com> Date: Fri, 14 Jun 2024 09:45:48 +0100 Subject: [PATCH 1/3] Create flow_count_ingress_named_subnets.sql Added query to count ingress flow traffic with named subnets and IP addresses. --- queries/flow_count_ingress_named_subnets.sql | 70 ++++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 queries/flow_count_ingress_named_subnets.sql diff --git a/queries/flow_count_ingress_named_subnets.sql b/queries/flow_count_ingress_named_subnets.sql new file mode 100644 index 0000000..a431101 --- /dev/null +++ b/queries/flow_count_ingress_named_subnets.sql @@ -0,0 +1,70 @@ +/* +Query to return ingress packet flow counts for a given interface that provides named IP addresses and subnets. +You can repeat the WHEN THEN statements to add other named IP addresses and subnets. + +The query also adds the 'initiator' column to work out if the interface is likely acting as the client or server +in the captured flow. This is simply done by comparing the srcport to dstport, and where the srcport is greater +than the dstport. The flow is labelled as client, where dstport > srcport the flow is labelled as initiator. +This isn’t exact, but works in most cases. + +Replace the following values in the query: +------------------------------------------ + - IP address to name should be in x.x.x.x format (e.g. 10.1.1.1) + - The name label for IP_ADDR_1 + - Subnet to name, should be in CIDR notation (e.g. 10.0.0.0/24) + - The name label for IP_SUBNET_1 +.. - The datasource, database, and table to query against + - Month to query in, in mm format (e.g. 06) + - Year to query in, in yyyy format (e.g. 2024) + - The interface ID to return results for. Can remove to query for all results + - Add this in CIDR notation to return results for specific subnets + +*/ +SELECT + COUNT("interface_id") as flow_count, + interface_id, + CASE + WHEN protocol = 6 + THEN 'tcp' + WHEN protocol = 17 + THEN 'udp' + WHEN protocol = 1 + THEN 'icmp' + ELSE 'other' + END as protocol, + flow_direction, + srcaddr, + CASE + WHEN srcaddr = + THEN + WHEN contains(, cast(srcaddr as IPADDRESS)) + THEN 'NAMED_SUBNET' + ELSE 'other' + END as in_subnet, + srcport, + dstaddr, + dstport, + CASE + WHEN srcport > dstport + THEN 'server' + ELSE 'client' + END as initator +FROM + ..
+WHERE + dstport is not null + and month= and year= + and action='ACCEPT' + and interface_id= + and flow_direction = 'ingress' + /* uncomment the next line to only return data for a specific subnet */ + --and contains(, cast(srcaddr as IPADDRESS)) +GROUP BY + interface_id, + protocol, + flow_direction, + srcaddr, + srcport, + dstaddr, + dstport +ORDER by flow_count desc From f911ff6ff5d92fc532ab238c5ec54c2c33aaaf2e Mon Sep 17 00:00:00 2001 From: Baza-86 <34928421+Baza-86@users.noreply.github.com> Date: Fri, 14 Jun 2024 10:01:05 +0100 Subject: [PATCH 2/3] Create flow_count_egress_named_subnets.sql added query for returning egress flow traffic with named subnets and IP addresses. --- queries/flow_count_egress_named_subnets.sql | 70 +++++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 queries/flow_count_egress_named_subnets.sql diff --git a/queries/flow_count_egress_named_subnets.sql b/queries/flow_count_egress_named_subnets.sql new file mode 100644 index 0000000..968804a --- /dev/null +++ b/queries/flow_count_egress_named_subnets.sql @@ -0,0 +1,70 @@ +/* +Query to return egress packet flow counts for a given interface that provides named IP addresses and subnets. +You can repeat the WHEN THEN statements to add other named IP addresses and subnets. + +The query also adds the 'initiator' column to work out if the interface is likely acting as the client or server +in the captured flow. This is simply done by comparing the srcport to dstport. +Where the dstport > srcport, the flow is labelled as server. Where dstport < srcport the flow is labelled as client. +This isn’t exact, but works in most cases. + +Replace the following values in the query: +------------------------------------------ + - IP address to name should be in x.x.x.x format (e.g. 10.1.1.1) + - The name label for IP_ADDR_1 + - Subnet to name, should be in CIDR notation (e.g. 10.0.0.0/24) + - The name label for IP_SUBNET_1 +..
- The datasource, database, and table to query against + - Month to query in, in mm format (e.g. 06) + - Year to query in, in yyyy format (e.g. 2024) + - The interface ID to return results for. Can remove to query for all results + - Add this in CIDR notation to return results for specific subnets + +*/ +SELECT + COUNT("interface_id") as flow_count, + interface_id, + CASE + WHEN protocol = 6 + THEN 'tcp' + WHEN protocol = 17 + THEN 'udp' + WHEN protocol = 1 + THEN 'icmp' + ELSE 'other' + END as protocol, + flow_direction, + CASE + WHEN dstaddr = + THEN + WHEN contains(, cast(dstaddr as IPADDRESS)) + THEN + ELSE 'other' + END as in_subnet, + srcaddr, + srcport, + dstaddr, + dstport, + CASE + WHEN srcport < dstport + THEN 'server' + ELSE 'client' + END as initator +FROM + ..
+WHERE + dstport is not null + and month= and year= + and action='ACCEPT' + and interface_id= + and flow_direction = 'egress' + /* uncomment next line to return results for specific subnet */ + --and contains(, cast(dstaddr as IPADDRESS)) +GROUP BY + interface_id, + protocol, + flow_direction, + srcaddr, + srcport, + dstaddr, + dstport +ORDER by flow_count desc From 6c3efa99c0b7c1abe98784b5fad05df634d64411 Mon Sep 17 00:00:00 2001 From: Baza-86 <34928421+Baza-86@users.noreply.github.com> Date: Fri, 14 Jun 2024 10:07:08 +0100 Subject: [PATCH 3/3] Update flow_count_ingress_named_subnets.sql * corrected comments * corrected CASE indentation * moved srcaddr after in_subnet --- queries/flow_count_ingress_named_subnets.sql | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/queries/flow_count_ingress_named_subnets.sql b/queries/flow_count_ingress_named_subnets.sql index a431101..1efaaff 100644 --- a/queries/flow_count_ingress_named_subnets.sql +++ b/queries/flow_count_ingress_named_subnets.sql @@ -3,9 +3,8 @@ Query to return ingress packet flow counts for a given interface that provides n You can repeat the WHEN THEN statements to add other named IP addresses and subnets. The query also adds the 'initiator' column to work out if the interface is likely acting as the client or server -in the captured flow. This is simply done by comparing the srcport to dstport, and where the srcport is greater -than the dstport. The flow is labelled as client, where dstport > srcport the flow is labelled as initiator. -This isn’t exact, but works in most cases. +in the captured flow. This is simply done by comparing the srcport to dstport. Where the srcport > dstport the flow +is labelled as server. Where srcport < dstport the flow is labelled as client. This isn’t exact, but works in most cases. Replace the following values in the query: ------------------------------------------ @@ -33,14 +32,14 @@ SELECT ELSE 'other' END as protocol, flow_direction, - srcaddr, CASE - WHEN srcaddr = - THEN - WHEN contains(, cast(srcaddr as IPADDRESS)) - THEN 'NAMED_SUBNET' - ELSE 'other' + WHEN srcaddr = + THEN + WHEN contains(, cast(srcaddr as IPADDRESS)) + THEN 'NAMED_SUBNET' + ELSE 'other' END as in_subnet, + srcaddr, srcport, dstaddr, dstport,