|Description:|| I've been using this for some time, and having a wee bit o'spare time lately, decided it might possibly maybe perhaps be of use to fellow monks. So without further ado, I offer for your consideration a perl one-liner that can help you to know when your box is being probed by sckiddies and crackers.
ippl is a *nix packet logger. By configuring it to log suspicous packets in a longer format than mundane packets, and by resolving their source address, you can trivially extract info on nefarious goings-on. The example log below illustrates my web server being probed for nonexistant FTP, DNS, and WINS services.
* relevent chunk from ippl.conf:
* sample lines from ippl.log:
* sample munged output:
* from a perlish perspective, it matches any line containing an open-paren *unless* the paren is immediately preceeded by the word "time". perldoc perlre says that's a zero-width positive lookahead assertion.
Update: Hmmm... props to blakem for cleaner and more recognizable syntax below. I vaguely recall seeing that in perlre, but must've already had this'un working.
perl -ne 'print if (/\(/ && $` !~ /time$/)' < ippl.log > ippl.noteworthy
|Replies are listed 'Best First'.|
Re: One-liner parses ippl log for suspicious packets
by blakem (Monsignor) on Jan 09, 2002 at 04:20 UTC