Beefy Boxes and Bandwidth Generously Provided by pair Networks
good chemistry is complicated,
and a little bit messy -LW
 
PerlMonks  

(code) One-liner parses ippl log for suspicious packets

by ybiC (Prior)
on Jan 09, 2002 at 01:29 UTC ( #137263=snippet: print w/ replies, xml ) Need Help??

Description: I've been using this for some time, and having a wee bit o'spare time lately, decided it might possibly maybe perhaps be of use to fellow monks.   So without further ado, I offer for your consideration a perl one-liner that can help you to know when your box is being probed by sckiddies and crackers.

ippl is a *nix packet logger.   By configuring it to log suspicous packets in a longer format than mundane packets, and by resolving their source address, you can trivially extract info on nefarious goings-on.   The example log below illustrates my web server being probed for nonexistant FTP, DNS, and WINS services.

* relevent chunk from ippl.conf:

noresolve all logformat normal all log options resolve,detaild tcp port ftp log options resolve,detaild tcp port domain # zone xfer log options resolve,detaild udp port netbios-ns etc...

* sample lines from ippl.log:

Nov 2 20:14:19 www connection attempt from 199.8.65.44 Nov 2 22:03:34 last message repeated 47 time(s) Nov 2 22:34:49 ftp connection attempt from ts1-850.f1781.quebectel.co +m [142.169.225.139] (142.169.225.139:21->204.27.0.137:21) Nov 3 18:03:09 domain connection attempt from cha213245016252.chello. +fr [213.245.16.252] (213.245.16.252:4709->204.27.0.137:53) Nov 4 09:34:28 netbios-ns connection attempt from pD905543D.dip.t-dia +lin.net [217.5.84.61] (217.5.84.61:4642->204.27.0.137:137)

* sample munged output:

Nov 2 22:34:49 ftp connection attempt from ts1-850.f1781.quebectel.co +m [142.169.225.139] (142.169.225.139:21->204.27.0.137:21) Nov 3 18:03:09 domain connection attempt from cha213245016252.chello. +fr [213.245.16.252] (213.245.16.252:4709->204.27.0.137:53) Nov 4 09:34:28 netbios-ns connection attempt from pD905543D.dip.t-dia +lin.net [217.5.84.61] (217.5.84.61:4642->204.27.0.137:137)

* from a perlish perspective, it matches any line containing an open-paren *unless* the paren is immediately preceeded by the word "time".   perldoc perlre says that's a zero-width positive lookahead assertion.

Update: Hmmm... props to blakem for cleaner and more recognizable syntax below.   I vaguely recall seeing that in perlre, but must've already had this'un working.



perl -ne 'print if (/\(/ && $` !~ /time$/)' < ippl.log > ippl.noteworthy

Comment on (code) One-liner parses ippl log for suspicious packets
Download Code
Re: One-liner parses ippl log for suspicious packets
by blakem (Monsignor) on Jan 09, 2002 at 04:20 UTC
    From perlre:
    `(?<!pattern)' A zero-width negative look-behind assertion. For example `/(?<!bar)foo/' matches any occurrence of "foo" that does not follow "bar". Works only for fixed-width look-behind.
    So, how about:
    perl -ne 'print if /(?<!time)\(/' < ippl.log > ippl.noteworthy

    -Blake

Back to Snippets Section

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: snippet [id://137263]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others surveying the Monastery: (5)
As of 2014-08-02 08:57 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Who would be the most fun to work for?















    Results (55 votes), past polls