Re: lug-bg: tail -f | grep ... | cut ... | awk ...
- Subject: Re: lug-bg: tail -f | grep ... | cut ... | awk ...
- From: vlk@xxxxxxxxxxxxxxxxx (Vesselin Kolev)
- Date: Thu, 31 Jan 2002 12:11:23 +0200
Za da niama dvusmislie publikuvam celia problem.
Edna programa zapisva v log-file scanirania na port 80 i dr, kato
scanira paketite za loshi zaiavki, v tova chislo i za Code Red.
Celta e slednata :
V REALNO vreme da se sledi dobavenata vyv log-faila informacia
ot tazi informacia da se izvazhda IP adres i da se dobavia v tablicata
s pravila na IPTABLES/IPCHAINS. Zadalzhitelno e tova da stava v
relano vreme.
Znachi absoliutno siguren sym, che sega vseki shte mi kazhe da
izpolzvam cat i da scaniram faila ot vreme na vreme... kazvam, che
tova ne e reshenie i ne predpazva izobshto ot loshite zaiavki i t.n...
Nuzhno oshte shtom byde zasechen IP adres na narushitelia da se
prekratiava vryzkata s nego, zashtoto toi inache scanira za mnogo
kratko vreme cialata mrezha i ot podadenite ot moi mashini otgovori
se generira ogromen izhoden traffik. Tova stava za po-malko ot minuta
i niama kak sas scanirane na faila inicializirano ot proces, opisan v
crontab da se napravi vsichko efektivno...
Eto vi sega edin zapis ot vyrposnia log-file (po edin takyv se pribavia
v kraia mu sled vsiako ustanoveno scanirane):
*** Sat Jan 26 19:59:38 2002 - Sat Jan 26 19:59:38 2002
Plugin : HttpMod
Author : Yoann Vandoorselaere
Contact : yoann@xxxxxxxxxxxxxxxx
description : Snort based http decode plugin.
kind : May not be reliable
received : 3 times
message : ISS Unicode attack detected
Ether hdr : 0:60:47:1e:db:a5 -> 0:40:95:34:40:77 [ether_type=ip (2048)]
Ip hdr : 62.69.129.174 -> 62.44.103.58
[hl=20,version=4,tos=22,len=185,id=15992,ttl=108]
Tcp hdr : 1851 -> 80 [flags=PUSH ACK
,seq=1437666823,ack=1541901214,win=17520]
Data hdr : size=145 bytes
Data hexadecimal dump follow :
47 45 54 20 2f 6d 73 61 64 63 2f 2e 2e 25 35 63 GET /msadc/..%5c
2e 2e 2f 2e 2e 25 35 63 2e 2e 2f 2e 2e 25 35 63 ../..%5c../..%5c
2f 2e 2e 35 35 2e 2e 2f 2e 2e 63 31 2e 2e 2f 2e /..55../..c1../.
2e 2f 2e 2e 2e 2f 77 69 6e 6e 74 2f 73 79 73 74 ./.../winnt/syst
65 6d 33 32 2f 63 6d 64 2e 65 78 65 3f 2f 63 2b em32/cmd.exe?/c+
64 69 72 20 48 54 54 50 2f 31 2e 30 0d 0a 48 6f dir HTTP/1.0..Ho
73 74 3a 20 77 77 77 0d 0a 43 6f 6e 6e 6e 65 63 st: www..Connnec
74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 0d 0a 6e tion: close....n
65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 0d ection: close...
0a .
Celta e da se izvleche reda zapochvash c Ip hdr, ottam da se izvadi pyrvia
IP adres i da se podade na IPTABLES/IPCHAINS
Reshenieto ot roda na:
$tail -f /log-file | grep "Ip hdr" | cut -d : -f2 | awk -F "->" '{print
$1}'
ne raboti... Ako tail se zameni s cat vsichko e OK, no taka ne se postiga
celta za scanirane v realno vreme...
E, nadiavam se vse niakoi da e reshaval podoben problem!
Pozdravi
Vesselin
===========================================================================
A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers)
http://www.linux-bulgaria.org/ Hosted by Internet Group Ltd. - Stara Zagora
|