Problems? Is your data what you think it is? | |
PerlMonks |
(code) One-liner parses ippl log for suspicious packetsby ybiC (Prior) |
on Jan 09, 2002 at 01:29 UTC ( [id://137263]=CUFP: print w/replies, xml ) | Need Help?? |
I've been using this for some time, and having a wee bit o'spare time lately, decided it might possibly maybe perhaps be of use to fellow monks. So without further ado, I offer for your consideration a perl one-liner that can help you to know when your box is being probed by sckiddies and crackers.
ippl is a *nix packet logger. By configuring it to log suspicous packets in a longer format than mundane packets, and by resolving their source address, you can trivially extract info on nefarious goings-on. The example log below illustrates my web server being probed for nonexistant FTP, DNS, and WINS services. * relevent chunk from ippl.conf:
* sample lines from ippl.log:
* sample munged output:
* from a perlish perspective, it matches any line containing an open-paren *unless* the paren is immediately preceeded by the word "time". perldoc perlre says that's a zero-width positive lookahead assertion. Update: Hmmm... props to blakem for cleaner and more recognizable syntax below. I vaguely recall seeing that in perlre, but must've already had this'un working. perl -ne 'print if (/\(/ && $` !~ /time$/)' < ippl.log > ippl.noteworthy
Back to
Cool Uses for Perl
|
|