Re: whats wrong with this grep?
Hi first of all, thanks to those who helped. Sorry to karsten who seem
to dislike yahoo mail, I'll get a decent mua nxt time. However, I still
need a bit more help. Here's the list of my scripts that clearly needs
cleaning/fixing... (see below), I've included the data for clarity.
data: scans.txt
Jun 9 00:03:09 MY.NET.98.162:6112 -> 24.130.240.72:6112 UDP
Jun 9 00:03:09 MY.NET.98.162:6112 -> 172.158.9.12:6112 UDP
Jun 9 00:03:10 MY.NET.98.162:6112 -> 24.190.43.195:6112 UDP
Jun 9 00:15:31 144.51.17.1:53 -> MY.NET.98.126:1219 UDP
Jun 9 00:15:31 144.51.17.1:53 -> MY.NET.98.126:1220 UDP
Jun 9 00:15:31 144.51.17.1:53 -> MY.NET.98.126:1221 UDP
Jun 9 00:15:32 144.51.17.1:53 -> MY.NET.98.126:1222 UDP
#tally number of src ips
$ grep '..:..:' scans.txt | cut -d '>' -f 1 | cut -d ' ' -f 4 | cut -d
'
:' -f 1 | tr -d ' ' | sort | uniq -c | sort -nr > scan_src_ips_test.log
#tally number of dst ips
$ grep '..:..:' scans.txt | cut -d '>' -f 2 | cut -d ':' -f 1 | tr -d
'
' | sort | uniq -c | sort -nr > scan_dst_ips_test.log
#tally number of dst ports
$ grep '..:..:' scans.txt | cut -d '>' -f 2 | cut -d ':' -f 2 | cut -d
'
' -f 1 | tr -d ' ' | sort | uniq -c | sort -nr > scan.dst.ports.log
data: alert.txt
08/28-00:00:06.008691 [**] SMB Name Wildcard [**] 200.187.133.51:137
-> MY.NET.132.10:137
08/28-00:16:52.761152 [**] spp_portscan: PORTSCAN DETECTED from
MY.NET.201.42 (THRESHOLD 7 connections in 2 seconds) [**]
08/28-00:16:57.561511 [**] spp_portscan: portscan status from
MY.NET.201.42: 21 connections across 19 hosts: TCP(0), UDP(21) [**]
08/28-00:17:03.490019 [**] spp_portscan: portscan status from
MY.NET.201.42: 2 connections across 2 hosts: TCP(0), UDP(2) [**]
08/28-00:17:05.644140 [**] spp_portscan: PORTSCAN DETECTED from
142.179.38.136 (STEALTH) [**]
08/28-16:48:30.119883 [**] Possible trojan server activity [**]
MY.NET.202.42:3530 -> 128.60.33.72:27374
08/28-16:48:30.119933 [**] Possible trojan server activity [**]
MY.NET.202.42:3527 -> 128.60.33.69:27374
08/28-17:58:58.378913 [**] Watchlist 000220 IL-ISDNNET-990517 [**]
212.179.43.225:32532 -> MY.NET.225.22:6346
08/28-17:59:00.641257 [**] Watchlist 000220 IL-ISDNNET-990517 [**]
212.179.43.225:32532 -> MY.NET.225.22:6346
08/28-17:59:02.299542 [**] Watchlist 000220 IL-ISDNNET-990517 [**]
212.179.43.225:32532 -> MY.NET.225.22:6346
03/24-00:16:03.220881 [**] spp_portscan: PORTSCAN DETECTED from
MY.NET.11.8 (THRESHOLD 4 connections exceeded in 6 seconds) [**]
03/24-00:16:03.515447 [**] spp_portscan: portscan status from
MY.NET.11.8: 9 connections across 9 hosts: TCP(0), UDP(9) [**]
03/24-00:16:03.843841 [**] spp_portscan: portscan status from
MY.NET.11.8: 8 connections across 8 hosts: TCP(0), UDP(8) [**]
03/24-00:16:04.105264 [**] spp_portscan: portscan status from
MY.NET.11.8: 3 connections across 3 hosts: TCP(0), UDP(3) [**]
#tally number of spp_portscans and the corresponding ips
help?
#tally number of destination ips
grep "\[\*\*\]" alerts.txt | grep -v spp_portscan | cut -d \> -f 2 |
cut -d : -f 1 | sed s/\ //g | sort | uniq -c | sort -nr >
alerts.dstips.log
#tally number of destination ports
grep "\[\*\*\]" alerts.txt | grep -v spp_portscan | grep -v Tiny\
Fragments | grep -v ICMP\ SRC | cut -d \> -f 2 | cut -d : -f 2 | sed
s/\ //g | sort | uniq -c | sort -nr > alerts.dstports.log
#tally number of src ips
grep "\[\*\*\]" alerts.txt | grep -v spp_portscan | cut -d \] -f 3 |
cut -d \- -f 1 | cut -d : -f 1 | sed s/\ //g >>
alerts.srcips.log.unsorted
grep PORTSCAN alerts.txt | cut -d \] -f 2 | cut -d \ -f 6 | sed s/\
//g >> alerts.srcips.log.unsorted
cat alerts.srcips.log.unsorted | sort | uniq -c | sort -nr >
alerts.srcips.log
__________________________________________________
Do You Yahoo!?
LAUNCH - Your Yahoo! Music Experience
http://launch.yahoo.com
--
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: