ProgrammingThis forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
#!/bin/bash
patterns=(
/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/
/HNAP1/
/prov/aastra.cfg
/f4bb336d/
/module/action/param1/\${@die\(md5\(HelloThinkPHP\)\)}
/App/\?content=die\(md5\(HelloThinkPHP\)\)
/editBlackAndWhiteList
/0015650000000.cfg
)
# you should fill that array with real patterns
somemagicnumber=3
# how many tests before you action
#TODO weight patterns score using associative array
GetIPs () {
sort -u < <(grep -Eo "[0-9]{1,3}(\.[0-9]{1,3}){3}" server.log )
}
CheckPatterns () {
IP=$1
matchcount=0
while read LOG
do
for P in "${Patterns[@]}"
do
[[ $LOG =~ $P ]] && ((matchcount++))
done
done < <(grep "$IP" server.log )
[[ $matchcount -gt $somemagicnumber ]] \
|| return 0 \
&& Action $IP
return $?
}
Action () {
IP=$1
echo do something based on $IP
return $?
}
while read IP
do
CheckPatterns $IP \
|| echo some error \
&& echo do something based on $IP
done < <( GetIPs )
all a bit sketchy, but you should get the idea
Edit, the returns in that code are scrappy
it should be easier to write if you have a clear plan of action based on what you do or don't find.
I think you are all messing it all up , the reason is because you are comparing all lines from 1 side to the other even if they all match , and i hust want the 1st one that matches , and after the match i want to retrieve from the match the variable 1 in awk from server.conf , witch will tell me what type of intrusion was detected .
The best way to do this is forgetting all the posts we did .
And concentrate on this one i am writing .
make a temporary directory somewhere and write all these files i will post here with their names in that directory .
#!/bin/bash
selip (){
for i in $(seq "$cntip")
do
rdip=$(sed -n ${i}p < iplist)
echo "$i - $rdip"
done
echo ""
echo "Choose an IP to check or write (exit) to quit "
echo -n "Choose from 1 to $cntip : "
read -r ip
if [[ "$ip" == "exit" ]]
then
exit 0
fi
if [[ -z "$ip" ]]
then
echo "Empty value detected"
sleep 3
clear
selip
fi
ckip=$(sed -n ${ip}p iplist)
gtdata=$(grep "$ckip" serverlog.tmp | awk '{print$7}' > tmpfile)
echo "Looking for a match in definitions"
rdln=$(wc -l tmpfile | awk '{print$1}')
if [[ "$rdln" -le "1" ]]
then
readata=$(sed -n 1p tmpfile)
match=$(grep "$readata" definition.conf | awk '{print$1}')
if [[ -z "$match" ]]
then
echo "No results were found"
exit 0
else
echo "Intrusion detected from $ckip was : $match"
exit 0
fi
fi
for i in $(seq "$rdln")
do
readata=$(sed -n ${i}p tmpfile)
match=$(grep "$readata" definition.conf | awk '{print$1}')
if [[ ! -z "$match" ]]
then
echo "Intrusion detected from $ckip was : $match"
exit 0
fi
done
echo "No results were found"
exit 0
}
rm iplist >/dev/null 2>&1
rm tmpfile >/dev/null 2>&1
echo "Checking ips in Log"
echo ""
var1=$(awk '{print$1}' serverlog.tmp | uniq > iplist)
cntip=$(wc -l iplist | awk '{print$1}')
selip
give execution permissions to scriptest and run it
NOTES
if you select the 1 then match was found because is exactly like it is in definition.conf
but despite the fact that option 2 and 3 in script exists also in definition.conf but are not exactly like , then it is not found .
Everyone now can run this example i wrote here to understand what i need .
Thank you firerat , it works very well .
I did some changes in the code to set user input , instead checking everything .
I can adapt the code now for whatever i need .
Code:
#!/bin/bash
CheckPatterns () {
IP=$1
while read LOG
do
for P in "${Patterns[@]}"
do
[[ ${LOG} =~ ${P#* } ]] && echo ${P% *} matches ${IP}
done
done < <(grep "$IP" serverlog.tmp )
return $?
}
echo -n "Write IP : "
read -r ipd
Patterns=()
while read foo
do
Patterns+=("${foo}")
done < definition.conf
while read IP
do
CheckPatterns $IP
done < <( echo "$ipd" )
Thank you firerat , it works very well .
I did some changes in the code to set user input , instead checking everything .
I can adapt the code now for whatever i need .
Code:
#!/bin/bash
CheckPatterns () {
IP=$1
while read LOG
do
for P in "${Patterns[@]}"
do
[[ ${LOG} =~ ${P#* } ]] && echo ${P% *} matches ${IP}
done
done < <(grep "$IP" serverlog.tmp )
return $?
}
echo -n "Write IP : "
read -r ipd
Patterns=()
while read foo
do
Patterns+=("${foo}")
done < definition.conf
while read IP
do
CheckPatterns $IP
done < <( echo "$ipd" )
yeah adapt ,, but EEEEK !!
UUOE !!
echo "$ipd"
just get rid of that while loop, and call teh check
Code:
#!/bin/bash
CheckPatterns () {
IP=$1
while read LOG
do
for P in "${Patterns[@]}"
do
[[ ${LOG} =~ ${P#* } ]] && echo ${P% *} matches ${IP}
done
done < <(grep "$IP" serverlog.tmp )
return $?
}
Patterns=()
while read foo
do
Patterns+=("${foo}")
done < definition.conf
echo -n "Write IP : "
read -r ipd
# TODO check to see if $ipd looks like a valid ip address
CheckPatterns $ipd
Creating a list of IP addresses to choose from requires reading the log file twice.
A bash script with what @Firerat might call a UUOP (Unnecessary use of pipe)
Code:
#!/bin/bash
IPs=$(cut -d" " -f1 server.log | sort -u)
PS3="Your choice (or Ctrl-C to quit): "
select myIP in $IPs; do
awk -f server.awk -v IP=$myIP server.conf server.log
done
Creating a list of IP addresses to choose from requires reading the log file twice.
A bash script with what @Firerat might call a UUOP (Unnecessary use of pipe)
Code:
#!/bin/bash
IPs=$(cut -d" " -f1 server.log | sort -u)
PS3="Your choice (or Ctrl-C to quit): "
select myIP in $IPs; do
awk -f server.awk -v IP=$myIP server.conf server.log
done
bless, I already showed you how to get IPs
Code:
GetIPs(){
sort -u < <(grep -Eo "[0-9]{1,3}(\.[0-9]{1,3}){3}" server.log
}
IPs=($(GetIPs))
PS3="Your choice (or Ctrl-C to quit): "
select myIP in "${IPs[@]}"; do
awk -f server.awk -v IP=$myIP server.conf server.log
done
#!/bin/bash
serverlog=serverlog.tmp.txt
definition=definition.conf.txt
GetSuspect () {
for P in "${Patterns[@]}"
do
grep "${P#* }" "${serverlog}"
done
}
Patterns=()
while read foo
do
Patterns+=("${foo}")
done < ${definition}
time ( GetSuspect | grep -Eo "[0-9]{1,3}(\.[0-9]{1,3}){3}" )
time ( GetSuspect )
it really depends on your data which is faster
if you process the log by IP you can break once you find a match
if you process the log by Pattern. you may turn up the same IP multiple times
Nop , there is no empty 1st line .
This is too much strange , i also downgraded grep version just to see if it was something with grep (just to test) , but it stays the same .
This code is pretty simple and effective for what i need , and now i cant use it !!??
This is too much bad luck for me .
I dont like to mess up repositories in my server , but i will try to upgrade bash from a different repository in another debian distribution to see how it works .
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
)
