[PLUG] quickie iptables log scan scripts
Paul Heinlein
heinlein at attbi.com
Wed May 22 17:29:00 UTC 2002
With all the reports of that SQL Server script the kiddiez are using
these days -- and the continued Code Red scans that hit my box -- I'd
thought I'd whip up a couple little tools to give me some stats.
1. Produce list of all hosts that send me packets I don't want, sorted
by frequency of unwanted packets, useful for spotting the worst
individual hosts:
#!/bin/sh
grep 'SRC=' /var/log/messages* | \
sed 's!.*SRC=\(.*\) DST=.*!\1!' | \
sort | \
uniq -c | \
sort -nr
2. Same list, sorted by ip address, useful to see if certain nets are
esp. bad:
#!/bin/sh
grep 'SRC=' /var/log/messages* | \
sed 's!.*SRC=\(.*\) DST=.*!\1!' | \
sort -n -t. -k 1,1 -k 2,2 -k 3,3 -k 4,4 | \
uniq -c
3. Sorta sorted list of those hosts, this time with per-port
statistics, useful for spotting scans. Run this perl script against
/var/log/messages*:
#!/usr/bin/perl -w
while ( <> ) {
my ( $host, $port ) = /^.+ SRC=([^\s]+) DST=.+ DPT=(\d+) \w.*$/;
next unless $host and $port;
$list{$host}{$port}++;
}
foreach my $host ( sort keys %list ) {
print qq/$host: /;
print join( ', ', map { "$_ ($list{$host}{$_})" }
sort keys %{ $list{$host} }
);
print "\n";
}
--Paul Heinlein <heinlein at attbi.com>
More information about the PLUG
mailing list