Re: lug-bg: tail -f | grep ... | cut ... | awk ...
- Subject: Re: lug-bg: tail -f | grep ... | cut ... | awk ...
- From: danchev@xxxxxxxxx (George Danchev)
- Date: Thu, 31 Jan 2002 16:44:23 +0200
On Thursday 31 January 2002 12:11, you wrote:
> Za da niama dvusmislie publikuvam celia problem.
>
> Edna programa zapisva v log-file scanirania na port 80 i dr, kato
> scanira paketite za loshi zaiavki, v tova chislo i za Code Red.
>
> Celta e slednata :
> V REALNO vreme da se sledi dobavenata vyv log-faila informacia
> ot tazi informacia da se izvazhda IP adres i da se dobavia v tablicata
> s pravila na IPTABLES/IPCHAINS. Zadalzhitelno e tova da stava v
> relano vreme.
>
> Znachi absoliutno siguren sym, che sega vseki shte mi kazhe da
> izpolzvam cat i da scaniram faila ot vreme na vreme... kazvam, che
> tova ne e reshenie i ne predpazva izobshto ot loshite zaiavki i t.n...
> Nuzhno oshte shtom byde zasechen IP adres na narushitelia da se
> prekratiava vryzkata s nego, zashtoto toi inache scanira za mnogo
> kratko vreme cialata mrezha i ot podadenite ot moi mashini otgovori
> se generira ogromen izhoden traffik. Tova stava za po-malko ot minuta
> i niama kak sas scanirane na faila inicializirano ot proces, opisan v
> crontab da se napravi vsichko efektivno...
>
> Eto vi sega edin zapis ot vyrposnia log-file (po edin takyv se pribavia
> v kraia mu sled vsiako ustanoveno scanirane):
>
> *** Sat Jan 26 19:59:38 2002 - Sat Jan 26 19:59:38 2002
> Plugin : HttpMod
> Author : Yoann Vandoorselaere
> Contact : yoann@xxxxxxxxxxxxxxxx
> description : Snort based http decode plugin.
> kind : May not be reliable
> received : 3 times
> message : ISS Unicode attack detected
>
> Ether hdr : 0:60:47:1e:db:a5 -> 0:40:95:34:40:77 [ether_type=ip (2048)]
> Ip hdr : 62.69.129.174 -> 62.44.103.58
> [hl=20,version=4,tos=22,len=185,id=15992,ttl=108]
> Tcp hdr : 1851 -> 80 [flags=PUSH ACK
> ,seq=1437666823,ack=1541901214,win=17520]
> Data hdr : size=145 bytes
>
> Data hexadecimal dump follow :
> 47 45 54 20 2f 6d 73 61 64 63 2f 2e 2e 25 35 63 GET /msadc/..%5c
> 2e 2e 2f 2e 2e 25 35 63 2e 2e 2f 2e 2e 25 35 63 ../..%5c../..%5c
> 2f 2e 2e 35 35 2e 2e 2f 2e 2e 63 31 2e 2e 2f 2e /..55../..c1../.
> 2e 2f 2e 2e 2e 2f 77 69 6e 6e 74 2f 73 79 73 74 ./.../winnt/syst
> 65 6d 33 32 2f 63 6d 64 2e 65 78 65 3f 2f 63 2b em32/cmd.exe?/c+
> 64 69 72 20 48 54 54 50 2f 31 2e 30 0d 0a 48 6f dir HTTP/1.0..Ho
> 73 74 3a 20 77 77 77 0d 0a 43 6f 6e 6e 6e 65 63 st: www..Connnec
> 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 0d 0a 6e tion: close....n
> 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 0d ection: close...
> 0a .
>
> Celta e da se izvleche reda zapochvash c Ip hdr, ottam da se izvadi pyrvia
> IP adres i da se podade na IPTABLES/IPCHAINS
>
> Reshenieto ot roda na:
>
> $tail -f /log-file | grep "Ip hdr" | cut -d : -f2 | awk -F "->" '{print
> $1}'
>
> ne raboti... Ako tail se zameni s cat vsichko e OK, no taka ne se postiga
> celta za scanirane v realno vreme...
ami osven v bezkrajniq cykul da namalish "sleep 0" , ili vyobste da mahnesh
sleep ..... togava ste skanirash t.k. non-stop, no pyk nqma da e mnogo
umno/uda4no da insertvash vseki pyt s iptables... mozhe da se pravi nekva
proverka ot sorta na:
#!/bin/bash
z=0;
while [ $z != 1 ] ; do
DIFF=`diff --brief log-file log-file.old`
if [ $DIFF = "Files log-file and log-file.old differ" ] ; then
cat log-file.log | grep "Ip hdr" | .....
cp log-file log-file.old
fi
done
t.e da insertvash s iptables ako naistina ima razlika v tekustiq i predishniq
log-file... tova e syvsem primerno i otgore otgore,i sigurno ima bugove :)
P.S. kazvashe mi baba edno vreme ... "U4i sine Perl u4i ... " :)
--
Greets,
fr33zb1
===========================================================================
A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers)
http://www.linux-bulgaria.org/ Hosted by Internet Group Ltd. - Stara Zagora
|