Help Parsing Log files

blacky777 · 04-18-2004, 01:59 AM

Hello, I am looking for advice on how to parse my log files. I want to get the IPAddresses and the ports their scanning. I dont quite understand GREP or SED enough on how to parse the various IP and Port Numbers in Linux.

Anyone Advice?

Thanks

unSpawn · 04-18-2004, 04:14 AM

I am looking for advice on how to parse my log files.
What logfiles? Portscanning usually means a group of ports covered over a period of time by one or multiple IP addresses. Manual correllation will be tedious and prolly errorprone. If you want to see a lot of interesting details use Snort's portscan detection, else search Freshmeat for something simple like PSAD, ippl or portsentry.

blacky777 · 04-18-2004, 01:57 PM

Just my message logfiles. I see hits from certain IP Addresses and wanted to filter them down to their IP Address and What Port their Sniffing For.

acid_kewpie · 04-18-2004, 03:55 PM

well yes so you need to use a text processing language / app like grep or sed or perl or awk to do this... off the top of my head i couldn't guess what your log files look like.....

unSpawn · 04-18-2004, 04:14 PM

Check out tools like Fwlogwatch.

vladdy2004 · 04-20-2004, 07:49 AM

How would one Grep for just the IP Addresses?

unSpawn · 04-21-2004, 01:06 PM

How would one Grep for just the IP Addresses?
Should show the remote IP and local destination port for all of today's incoming traffic destined for this box:
d=$(date '+%b %e'); ipaddr=$(hostname -i)
grep /var/log/messages -ie "${d}.*kernel:.*DST=$ipaddr"\
|tr -s " "|cut -d " " -f 10,18|sed -e "s/D..=//g"