LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Enterprise Linux Forums > Linux - Enterprise
User Name
Password
Linux - Enterprise This forum is for all items relating to using Linux in the Enterprise.

Notices

Reply
 
LinkBack Search this Thread
Old 09-18-2007, 01:05 AM   #1
crackyblue
LQ Newbie
 
Registered: Sep 2007
Posts: 25

Rep: Reputation: 15
Blocking IPs log from honeyd


Hi, I just wanted to ask if where i could get a script or similar that can parse honeyd logs that contained detected ip address that are probing. The honeyd.log has these entries.

2007-09-18-06:10:23.4563 tcp(6) - 81.56.254.187 49857 xxx.xxx.xxx.xxx 9887: 60 S [Linux 2.6 ]
2007-09-18-06:20:39.7773 tcp(6) - 64.53.140.163 47515 xx.xxx.xxx.xxx
9887: 60 S [Linux 2.6 ]
2007-09-18-06:21:52.4131 udp(17) - 153.104.74.95 30811 xxx.xxx.xxx.xxx 1026: 394
2007-09-18-06:40:30.1793 tcp(6) - 81.56.254.187 58448 xxx.xxx.xxx.xxx 9887: 60 S [Linux 2.6 ]
2007-09-18-06:46:16.9606 udp(17) - 222.161.2.9 54614 xxx.xxx.xxx.xxx
1027: 921
........ snippets ........

I know these could be done with bash scripts or perl scripts, but im no programmer.. sorry...


Thanks in advance.
 
Old 09-19-2007, 10:28 AM   #2
HappyTux
Senior Member
 
Registered: Mar 2003
Location: Nova Scotia, Canada
Distribution: Debian AMD64
Posts: 3,513

Rep: Reputation: 62
Quote:
Originally Posted by crackyblue View Post
Hi, I just wanted to ask if where i could get a script or similar that can parse honeyd logs that contained detected ip address that are probing. The honeyd.log has these entries.

2007-09-18-06:10:23.4563 tcp(6) - 81.56.254.187 49857 xxx.xxx.xxx.xxx 9887: 60 S [Linux 2.6 ]
2007-09-18-06:20:39.7773 tcp(6) - 64.53.140.163 47515 xx.xxx.xxx.xxx
9887: 60 S [Linux 2.6 ]
2007-09-18-06:21:52.4131 udp(17) - 153.104.74.95 30811 xxx.xxx.xxx.xxx 1026: 394
2007-09-18-06:40:30.1793 tcp(6) - 81.56.254.187 58448 xxx.xxx.xxx.xxx 9887: 60 S [Linux 2.6 ]
2007-09-18-06:46:16.9606 udp(17) - 222.161.2.9 54614 xxx.xxx.xxx.xxx
1027: 921
........ snippets ........

I know these could be done with bash scripts or perl scripts, but im no programmer.. sorry...


Thanks in advance.
I just copied your output to a test file and something like the below should get you the IPs.

Code:
>$ grep - test.txt | cut -d " " -f4
81.56.254.187
64.53.140.163
153.104.74.95
81.56.254.187
222.161.2.9
Try it using the honey.d log in place of test.txt and see what it says you should get similar out to what I did.
 
Old 09-19-2007, 07:26 PM   #3
crackyblue
LQ Newbie
 
Registered: Sep 2007
Posts: 25

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by HappyTux View Post
I just copied your output to a test file and something like the below should get you the IPs.

Code:
>$ grep - test.txt | cut -d " " -f4
81.56.254.187
64.53.140.163
153.104.74.95
81.56.254.187
222.161.2.9
Try it using the honey.d log in place of test.txt and see what it says you should get similar out to what I did.
Thank you so much for that one, i never thought it would that simple, I should better get a bash book to ease out a bit some of my administration task. Anyway, i took the manual task of deleting duplicate entries and put it somewhere on the iptables script file where the previous administrator has a script there that reads IPs from a file. So for my last Q, is it ok to have duplicates on the iptables firewall, and does iptables performance gets cranky when that file get bigger? (in my perception, yes).

Again TIA.
 
Old 09-19-2007, 10:07 PM   #4
HappyTux
Senior Member
 
Registered: Mar 2003
Location: Nova Scotia, Canada
Distribution: Debian AMD64
Posts: 3,513

Rep: Reputation: 62
Quote:
Originally Posted by crackyblue View Post
Thank you so much for that one, i never thought it would that simple, I should better get a bash book to ease out a bit some of my administration task. Anyway, i took the manual task of deleting duplicate entries and put it somewhere on the iptables script file where the previous administrator has a script there that reads IPs from a file. So for my last Q, is it ok to have duplicates on the iptables firewall, and does iptables performance gets cranky when that file get bigger? (in my perception, yes).

Again TIA.
If it was setting exactly the same IP then it would not be a duplicate you would just be overwriting the existing rule and it is probably to be expected performance wise the larger the file more rules everything has to pass through so it takes more time to do it.
 
  


Reply

Tags
block, from, honeyd, ip, logs


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Blocking ips from access andy1974 Linux - Security 5 06-27-2007 06:21 AM
Blocking certain IPs with iptables - what am I doing wrong? thinksincode Linux - Security 2 12-21-2004 10:27 AM
Blocking A Class of Ips w/ Iptables kemplej Linux - Security 4 09-03-2004 11:02 AM
Blocking IPs bluelaguna Linux - Security 2 05-28-2004 02:08 PM
Blocking IPS clanehleader Linux - Security 2 09-01-2003 10:13 PM


All times are GMT -5. The time now is 02:12 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration