Last active
September 29, 2018 09:53
-
-
Save spirosoik/daf17e2134b356c9531d06b1d8325b56 to your computer and use it in GitHub Desktop.
DNS Pattern Requests Violation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
SET autocreate=true; | |
INSERT INTO dns_pattern_requests_violation | |
WITH log_regex as ( | |
SELECT STREAM | |
dns, | |
ipv4, | |
udp, | |
regexp(dns.dns_question[0].name, '(\d.*?){5,}') as rule_numbers, | |
regexp(dns.dns_question[0].name, '\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}') as rule_is_ip | |
FROM `DNS_DHCP_TRAFFIC` | |
) | |
SELECT STREAM | |
dns, | |
ipv4, | |
udp | |
FROM log_regex | |
WHERE (rule_numbers is not null AND ARRAY_SIZE(rule_numbers) > 0) | |
AND (rule_is_ip is null AND ARRAY_SIZE(rule_is_ip) = 0) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment