Beefy Boxes and Bandwidth Generously Provided by pair Networks
Pathologically Eclectic Rubbish Lister
 
PerlMonks  

(code) One-liner parses ippl log for suspicious packets

by ybiC (Prior)
on Jan 09, 2002 at 01:29 UTC ( #137263=snippet: print w/ replies, xml ) Need Help??

Description: I've been using this for some time, and having a wee bit o'spare time lately, decided it might possibly maybe perhaps be of use to fellow monks.   So without further ado, I offer for your consideration a perl one-liner that can help you to know when your box is being probed by sckiddies and crackers.

ippl is a *nix packet logger.   By configuring it to log suspicous packets in a longer format than mundane packets, and by resolving their source address, you can trivially extract info on nefarious goings-on.   The example log below illustrates my web server being probed for nonexistant FTP, DNS, and WINS services.

* relevent chunk from ippl.conf:

noresolve all logformat normal all log options resolve,detaild tcp port ftp log options resolve,detaild tcp port domain # zone xfer log options resolve,detaild udp port netbios-ns etc...

* sample lines from ippl.log:

Nov 2 20:14:19 www connection attempt from 199.8.65.44 Nov 2 22:03:34 last message repeated 47 time(s) Nov 2 22:34:49 ftp connection attempt from ts1-850.f1781.quebectel.co +m [142.169.225.139] (142.169.225.139:21->204.27.0.137:21) Nov 3 18:03:09 domain connection attempt from cha213245016252.chello. +fr [213.245.16.252] (213.245.16.252:4709->204.27.0.137:53) Nov 4 09:34:28 netbios-ns connection attempt from pD905543D.dip.t-dia +lin.net [217.5.84.61] (217.5.84.61:4642->204.27.0.137:137)

* sample munged output:

Nov 2 22:34:49 ftp connection attempt from ts1-850.f1781.quebectel.co +m [142.169.225.139] (142.169.225.139:21->204.27.0.137:21) Nov 3 18:03:09 domain connection attempt from cha213245016252.chello. +fr [213.245.16.252] (213.245.16.252:4709->204.27.0.137:53) Nov 4 09:34:28 netbios-ns connection attempt from pD905543D.dip.t-dia +lin.net [217.5.84.61] (217.5.84.61:4642->204.27.0.137:137)

* from a perlish perspective, it matches any line containing an open-paren *unless* the paren is immediately preceeded by the word "time".   perldoc perlre says that's a zero-width positive lookahead assertion.

Update: Hmmm... props to blakem for cleaner and more recognizable syntax below.   I vaguely recall seeing that in perlre, but must've already had this'un working.



perl -ne 'print if (/\(/ && $` !~ /time$/)' < ippl.log > ippl.noteworthy

Comment on (code) One-liner parses ippl log for suspicious packets
Download Code
Re: One-liner parses ippl log for suspicious packets
by blakem (Monsignor) on Jan 09, 2002 at 04:20 UTC
    From perlre:
    `(?<!pattern)' A zero-width negative look-behind assertion. For example `/(?<!bar)foo/' matches any occurrence of "foo" that does not follow "bar". Works only for fixed-width look-behind.
    So, how about:
    perl -ne 'print if /(?<!time)\(/' < ippl.log > ippl.noteworthy

    -Blake

Back to Snippets Section

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: snippet [id://137263]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others surveying the Monastery: (10)
As of 2015-07-06 22:46 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The top three priorities of my open tasks are (in descending order of likelihood to be worked on) ...









    Results (84 votes), past polls