Linux-Bulgaria.ORG
навигация

 

начало

пощенски списък

архив на групата

семинари ...

документи

как да ...

 

 

Предишно писмо Следващо писмо Предишно по тема Следващо по тема По Дата По тема (thread)

Re: lug-bg: tail -f | grep ... | cut ... | awk ...


  • Subject: Re: lug-bg: tail -f | grep ... | cut ... | awk ...
  • From: danchev@xxxxxxxxx (George Danchev)
  • Date: Thu, 31 Jan 2002 16:44:23 +0200



On Thursday 31 January 2002 12:11, you wrote:
> Za da niama dvusmislie publikuvam celia problem.
>
>    Edna programa zapisva v log-file scanirania na port 80 i dr, kato
> scanira paketite za loshi zaiavki, v tova chislo i za Code Red.
>
>    Celta e slednata :
>    V REALNO vreme da se sledi dobavenata vyv log-faila informacia
> ot tazi informacia da se izvazhda IP adres i da se dobavia v tablicata
> s pravila na IPTABLES/IPCHAINS. Zadalzhitelno e tova da stava v
> relano vreme.
>
>    Znachi absoliutno siguren sym, che sega vseki shte mi kazhe da
> izpolzvam cat i da scaniram faila ot vreme na vreme... kazvam, che
> tova ne e reshenie i ne predpazva izobshto ot loshite zaiavki i t.n...
> Nuzhno oshte shtom byde zasechen IP adres na narushitelia da se
> prekratiava vryzkata s nego, zashtoto toi inache scanira za mnogo
> kratko vreme cialata mrezha i ot podadenite ot moi mashini otgovori
> se generira ogromen izhoden traffik. Tova stava za po-malko ot minuta
> i niama kak sas scanirane na faila inicializirano ot proces, opisan v
> crontab da se napravi vsichko efektivno...
>
>   Eto vi sega edin zapis ot vyrposnia log-file (po edin takyv se pribavia
> v kraia mu sled vsiako ustanoveno scanirane):
>
> *** Sat Jan 26 19:59:38 2002 - Sat Jan 26 19:59:38 2002
> Plugin  : HttpMod
> Author  : Yoann Vandoorselaere
> Contact : yoann@xxxxxxxxxxxxxxxx
> description     : Snort based http decode plugin.
> kind            : May not be reliable
> received        : 3 times
> message         : ISS Unicode attack detected
>
> Ether hdr : 0:60:47:1e:db:a5 -> 0:40:95:34:40:77 [ether_type=ip (2048)]
> Ip hdr    : 62.69.129.174 -> 62.44.103.58
> [hl=20,version=4,tos=22,len=185,id=15992,ttl=108]
> Tcp hdr   : 1851 -> 80 [flags=PUSH ACK
> ,seq=1437666823,ack=1541901214,win=17520]
> Data hdr  : size=145 bytes
>
> Data hexadecimal dump follow :
> 47 45 54 20   2f 6d 73 61   64 63 2f 2e   2e 25 35 63   GET /msadc/..%5c
> 2e 2e 2f 2e   2e 25 35 63   2e 2e 2f 2e   2e 25 35 63   ../..%5c../..%5c
> 2f 2e 2e 35   35 2e 2e 2f   2e 2e 63 31   2e 2e 2f 2e   /..55../..c1../.
> 2e 2f 2e 2e   2e 2f 77 69   6e 6e 74 2f   73 79 73 74   ./.../winnt/syst
> 65 6d 33 32   2f 63 6d 64   2e 65 78 65   3f 2f 63 2b   em32/cmd.exe?/c+
> 64 69 72 20   48 54 54 50   2f 31 2e 30   0d 0a 48 6f   dir HTTP/1.0..Ho
> 73 74 3a 20   77 77 77 0d   0a 43 6f 6e   6e 6e 65 63   st: www..Connnec
> 74 69 6f 6e   3a 20 63 6c   6f 73 65 0d   0a 0d 0a 6e   tion: close....n
> 65 63 74 69   6f 6e 3a 20   63 6c 6f 73   65 0d 0a 0d   ection: close...
> 0a                                                      .
>
> Celta e da se izvleche reda zapochvash c Ip hdr, ottam da se izvadi pyrvia
> IP adres i da se podade na IPTABLES/IPCHAINS
>
>   Reshenieto ot roda na:
>
>    $tail -f /log-file | grep "Ip hdr" | cut -d : -f2 | awk -F "->" '{print
> $1}'
>
> ne raboti... Ako tail se zameni s cat vsichko e OK, no taka ne se postiga
> celta za scanirane v realno vreme...

ami osven v bezkrajniq cykul da namalish "sleep 0" , ili vyobste da mahnesh 
sleep  ..... togava ste skanirash t.k. non-stop, no pyk nqma da e mnogo 
umno/uda4no da insertvash vseki pyt s iptables... mozhe da se pravi nekva 
proverka ot sorta na:

#!/bin/bash
z=0;
while [ $z != 1 ] ; do

DIFF=`diff --brief  log-file   log-file.old`
if [ $DIFF = "Files log-file and log-file.old differ" ] ; then
cat log-file.log | grep "Ip hdr" | .....
cp  log-file log-file.old
fi
done

t.e da insertvash s iptables ako naistina ima razlika v tekustiq i predishniq 
log-file... tova e syvsem primerno i otgore otgore,i sigurno ima bugove :)

P.S. kazvashe mi baba edno vreme ... "U4i sine Perl u4i ... "  :)


-- 
Greets,
fr33zb1
===========================================================================
A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers)
http://www.linux-bulgaria.org/ Hosted by Internet Group Ltd. - Stara Zagora




 

наши приятели

 

линукс за българи
http://linux-bg.org

FSA-BG
http://fsa-bg.org

OpenFest
http://openfest.org

FreeBSD BG
http://bg-freebsd.org

KDE-BG
http://kde.fsa-bg.org/

Gnome-BG
http://gnome.cult.bg/

проект OpenFMI
http://openfmi.net

NetField Forum
http://netField.ludost.net/forum/

 

 

Linux-Bulgaria.ORG

Mailing list messages are © Copyright their authors.