[PLUG] quickie iptables log scan scripts

[Paul Heinlein]

With all the reports of that SQL Server script the kiddiez are using 
these days -- and the continued Code Red scans that hit my box -- I'd 
thought I'd whip up a couple little tools to give me some stats.

1. Produce list of all hosts that send me packets I don't want, sorted 
   by frequency of unwanted packets, useful for spotting the worst 
   individual hosts:

   #!/bin/sh

   grep 'SRC=' /var/log/messages* | \
   sed 's!.*SRC=\(.*\) DST=.*!\1!' | \
   sort | \
   uniq -c | \
   sort -nr

2. Same list, sorted by ip address, useful to see if certain nets are 
   esp. bad:

   #!/bin/sh

   grep 'SRC=' /var/log/messages* | \
   sed 's!.*SRC=\(.*\) DST=.*!\1!' | \
   sort  -n -t. -k 1,1 -k 2,2 -k 3,3 -k 4,4 | \
   uniq -c

3. Sorta sorted list of those hosts, this time with per-port 
   statistics, useful for spotting scans. Run this perl script against 
   /var/log/messages*:

   #!/usr/bin/perl -w

   while ( <> ) {
     my ( $host, $port ) = /^.+ SRC=([^\s]+) DST=.+ DPT=(\d+) \w.*$/;
     next unless $host and $port;
     $list{$host}{$port}++;
   }

   foreach my $host ( sort keys %list ) {
     print qq/$host: /;
     print join( ', ', map { "$_ ($list{$host}{$_})" }
                           sort keys %{ $list{$host} }
           );
     print "\n";
   }

--Paul Heinlein <heinlein at attbi.com>