LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices


Reply
  Search this Thread
Old 10-17-2019, 04:09 PM   #31
Firerat
Senior Member
 
Registered: Oct 2008
Distribution: Debian sid
Posts: 2,630

Rep: Reputation: 749Reputation: 749Reputation: 749Reputation: 749Reputation: 749Reputation: 749Reputation: 749

run like this

Code:
bash -x ./scriptest
 
Old 10-17-2019, 05:21 PM   #32
pedropt
Member
 
Registered: Aug 2014
Distribution: Devuan
Posts: 250

Original Poster
Rep: Reputation: Disabled
Code:
+ Patterns=()
+ read foo
+ Patterns+=("${foo}")
+ read foo
+ Patterns+=("${foo}")
+ read foo
+ Patterns+=("${foo}")
+ read foo
+ Patterns+=("${foo}")
+ read foo
+ Patterns+=("${foo}")
+ read foo
+ Patterns+=("${foo}")
+ read foo
+ Patterns+=("${foo}")
+ read foo
+ Patterns+=("${foo}")
+ read foo
+ Patterns+=("${foo}")
+ read foo
+ Patterns+=("${foo}")
+ read foo
+ Patterns+=("${foo}")
+ read foo
+ Patterns+=("${foo}")
+ read foo
+ Patterns+=("${foo}")
+ read foo
+ Patterns+=("${foo}")
+ read foo
+ Patterns+=("${foo}")
+ read foo
+ Patterns+=("${foo}")
+ read foo
+ Patterns+=("${foo}")
+ read foo
+ Patterns+=("${foo}")
+ read foo
+ echo -n 'Write IP : '
Write IP : + read -r ipd
11.11.11.11
+ CheckPatterns 11.11.11.11
+ IP=11.11.11.11
+ read LOG
 
Old 10-17-2019, 05:21 PM   #33
pedropt
Member
 
Registered: Aug 2014
Distribution: Devuan
Posts: 250

Original Poster
Rep: Reputation: Disabled
Code:
++ grep 11.11.11.11 serverlog.tmp
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:04 +0100] "GET /TP/public/index.php HTTP/1.1" 404 143 "-" =~      HNAP1/ ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:04 +0100] "GET /TP/public/index.php HTTP/1.1" 404 143 "-" =~    elrekt.php ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:04 +0100] "GET /TP/public/index.php HTTP/1.1" 404 143 "-" =~    TP/html/public/index.php ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:04 +0100] "GET /TP/public/index.php HTTP/1.1" 404 143 "-" =~    /thinkphp/html/public/index.php ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:04 +0100] "GET /TP/public/index.php HTTP/1.1" 404 143 "-" =~    phppma/index.php ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:04 +0100] "GET /TP/public/index.php HTTP/1.1" 404 143 "-" =~   000000000000.cfg ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:04 +0100] "GET /TP/public/index.php HTTP/1.1" 404 143 "-" =~   0015650000000.cfg ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:04 +0100] "GET /TP/public/index.php HTTP/1.1" 404 143 "-" =~    secure/ContactAdministrators!default.jspa ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:04 +0100] "GET /TP/public/index.php HTTP/1.1" 404 143 "-" =~      module/action/param1/${@die(md5(HelloThinkPHP))} ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:04 +0100] "GET /TP/public/index.php HTTP/1.1" 404 143 "-" =~    /UPnP/IGD.xml ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:04 +0100] "GET /TP/public/index.php HTTP/1.1" 404 143 "-" =~         ?routestring=ajax/render/widget_php ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:04 +0100] "GET /TP/public/index.php HTTP/1.1" 404 143 "-" =~  /prov/y000000000007.cfg ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:04 +0100] "GET /TP/public/index.php HTTP/1.1" 404 143 "-" =~    mnt/custom/ProductDefinition ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:04 +0100] "GET /TP/public/index.php HTTP/1.1" 404 143 "-" =~     mstshash=Administr ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:04 +0100] "GET /TP/public/index.php HTTP/1.1" 404 143 "-" =~   /vtigercrm/vtigerservice.php ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:04 +0100] "GET /TP/public/index.php HTTP/1.1" 404 143 "-" =~   /etc/passwd?/dana/html5acc/guacamole/ ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:04 +0100] "GET /TP/public/index.php HTTP/1.1" 404 143 "-" =~  /osm/report/ ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:04 +0100] "GET /TP/public/index.php HTTP/1.1" 404 143 "-" =~     routestring=profile/upload-profilepicture ]]
+ read LOG
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:05 +0100] "GET /TP/index.php HTTP/1.1" 404 143 "-" =~      HNAP1/ ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:05 +0100] "GET /TP/index.php HTTP/1.1" 404 143 "-" =~    elrekt.php ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:05 +0100] "GET /TP/index.php HTTP/1.1" 404 143 "-" =~    TP/html/public/index.php ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:05 +0100] "GET /TP/index.php HTTP/1.1" 404 143 "-" =~    /thinkphp/html/public/index.php ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:05 +0100] "GET /TP/index.php HTTP/1.1" 404 143 "-" =~    phppma/index.php ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:05 +0100] "GET /TP/index.php HTTP/1.1" 404 143 "-" =~   000000000000.cfg ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:05 +0100] "GET /TP/index.php HTTP/1.1" 404 143 "-" =~   0015650000000.cfg ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:05 +0100] "GET /TP/index.php HTTP/1.1" 404 143 "-" =~    secure/ContactAdministrators!default.jspa ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:05 +0100] "GET /TP/index.php HTTP/1.1" 404 143 "-" =~      module/action/param1/${@die(md5(HelloThinkPHP))} ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:05 +0100] "GET /TP/index.php HTTP/1.1" 404 143 "-" =~    /UPnP/IGD.xml ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:05 +0100] "GET /TP/index.php HTTP/1.1" 404 143 "-" =~         ?routestring=ajax/render/widget_php ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:05 +0100] "GET /TP/index.php HTTP/1.1" 404 143 "-" =~  /prov/y000000000007.cfg ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:05 +0100] "GET /TP/index.php HTTP/1.1" 404 143 "-" =~    mnt/custom/ProductDefinition ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:05 +0100] "GET /TP/index.php HTTP/1.1" 404 143 "-" =~     mstshash=Administr ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:05 +0100] "GET /TP/index.php HTTP/1.1" 404 143 "-" =~   /vtigercrm/vtigerservice.php ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:05 +0100] "GET /TP/index.php HTTP/1.1" 404 143 "-" =~   /etc/passwd?/dana/html5acc/guacamole/ ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:05 +0100] "GET /TP/index.php HTTP/1.1" 404 143 "-" =~  /osm/report/ ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:05 +0100] "GET /TP/index.php HTTP/1.1" 404 143 "-" =~     routestring=profile/upload-profilepicture ]]
+ read LOG
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:05 +0100] "GET /thinkphp/html/public/index.php HTTP/1.1" =~      HNAP1/ ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:05 +0100] "GET /thinkphp/html/public/index.php HTTP/1.1" =~    elrekt.php ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:05 +0100] "GET /thinkphp/html/public/index.php HTTP/1.1" =~    TP/html/public/index.php ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:05 +0100] "GET /thinkphp/html/public/index.php HTTP/1.1" =~    /thinkphp/html/public/index.php ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:05 +0100] "GET /thinkphp/html/public/index.php HTTP/1.1" =~    phppma/index.php ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:05 +0100] "GET /thinkphp/html/public/index.php HTTP/1.1" =~   000000000000.cfg ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:05 +0100] "GET /thinkphp/html/public/index.php HTTP/1.1" =~   0015650000000.cfg ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:05 +0100] "GET /thinkphp/html/public/index.php HTTP/1.1" =~    secure/ContactAdministrators!default.jspa ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:05 +0100] "GET /thinkphp/html/public/index.php HTTP/1.1" =~      module/action/param1/${@die(md5(HelloThinkPHP))} ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:05 +0100] "GET /thinkphp/html/public/index.php HTTP/1.1" =~    /UPnP/IGD.xml ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:05 +0100] "GET /thinkphp/html/public/index.php HTTP/1.1" =~         ?routestring=ajax/render/widget_php ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:05 +0100] "GET /thinkphp/html/public/index.php HTTP/1.1" =~  /prov/y000000000007.cfg ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:05 +0100] "GET /thinkphp/html/public/index.php HTTP/1.1" =~    mnt/custom/ProductDefinition ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:05 +0100] "GET /thinkphp/html/public/index.php HTTP/1.1" =~     mstshash=Administr ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:05 +0100] "GET /thinkphp/html/public/index.php HTTP/1.1" =~   /vtigercrm/vtigerservice.php ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:05 +0100] "GET /thinkphp/html/public/index.php HTTP/1.1" =~   /etc/passwd?/dana/html5acc/guacamole/ ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:05 +0100] "GET /thinkphp/html/public/index.php HTTP/1.1" =~  /osm/report/ ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:05 +0100] "GET /thinkphp/html/public/index.php HTTP/1.1" =~     routestring=profile/upload-profilepicture ]]
+ read LOG
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:05 +0100] "GET /html/public/index.php HTTP/1.1" 404 143 =~      HNAP1/ ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:05 +0100] "GET /html/public/index.php HTTP/1.1" 404 143 =~    elrekt.php ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:05 +0100] "GET /html/public/index.php HTTP/1.1" 404 143 =~    TP/html/public/index.php ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:05 +0100] "GET /html/public/index.php HTTP/1.1" 404 143 =~    /thinkphp/html/public/index.php ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:05 +0100] "GET /html/public/index.php HTTP/1.1" 404 143 =~    phppma/index.php ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:05 +0100] "GET /html/public/index.php HTTP/1.1" 404 143 =~   000000000000.cfg ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:05 +0100] "GET /html/public/index.php HTTP/1.1" 404 143 =~   0015650000000.cfg ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:05 +0100] "GET /html/public/index.php HTTP/1.1" 404 143 =~    secure/ContactAdministrators!default.jspa ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:05 +0100] "GET /html/public/index.php HTTP/1.1" 404 143 =~      module/action/param1/${@die(md5(HelloThinkPHP))} ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:05 +0100] "GET /html/public/index.php HTTP/1.1" 404 143 =~    /UPnP/IGD.xml ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:05 +0100] "GET /html/public/index.php HTTP/1.1" 404 143 =~         ?routestring=ajax/render/widget_php ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:05 +0100] "GET /html/public/index.php HTTP/1.1" 404 143 =~  /prov/y000000000007.cfg ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:05 +0100] "GET /html/public/index.php HTTP/1.1" 404 143 =~    mnt/custom/ProductDefinition ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:05 +0100] "GET /html/public/index.php HTTP/1.1" 404 143 =~     mstshash=Administr ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:05 +0100] "GET /html/public/index.php HTTP/1.1" 404 143 =~   /vtigercrm/vtigerservice.php ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:05 +0100] "GET /html/public/index.php HTTP/1.1" 404 143 =~   /etc/passwd?/dana/html5acc/guacamole/ ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:05 +0100] "GET /html/public/index.php HTTP/1.1" 404 143 =~  /osm/report/ ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:05 +0100] "GET /html/public/index.php HTTP/1.1" 404 143 =~     routestring=profile/upload-profilepicture ]]
+ read LOG
+ return 1
I think that the problem is that the script is not reading definition.conf file , so there is nothing to compare .

Last edited by pedropt; 10-17-2019 at 05:28 PM.
 
Old 10-17-2019, 05:35 PM   #34
pedropt
Member
 
Registered: Aug 2014
Distribution: Devuan
Posts: 250

Original Poster
Rep: Reputation: Disabled
i changed the name of the file "definition.conf to def.conf and run the script to see if an error appeared on missing file , and it misses it .

Quote:
root@mail:/temp# mv definition.conf def.conf
root@mail:/temp# ./scriptest
./scriptest: line 18: definition.conf: No such file or directory
So now we know that the problem here is that the patterns are not been read from file , despite that the code written is to do exactly that and the loop reads 18 times , witch are the number of lines in that file .

Last edited by pedropt; 10-17-2019 at 05:36 PM.
 
Old 10-17-2019, 05:37 PM   #35
Firerat
Senior Member
 
Registered: Oct 2008
Distribution: Debian sid
Posts: 2,630

Rep: Reputation: 749Reputation: 749Reputation: 749Reputation: 749Reputation: 749Reputation: 749Reputation: 749
something odd with the definition.conf

this is from mine ( which was copy pasta from this forum )
notice the white space after =~
Code:
++ grep 11.11.11.11 serverlog.tmp.txt
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:04 +0100] "GET /TP/public/index.php HTTP/1.1" 404 143 "-" =~ HNAP1/ ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:04 +0100] "GET /TP/public/index.php HTTP/1.1" 404 143 "-" =~ elrekt.php ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:04 +0100] "GET /TP/public/index.php HTTP/1.1" 404 143 "-" =~ TP/html/public/index.php ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:04 +0100] "GET /TP/public/index.php HTTP/1.1" 404 143 "-" =~ /thinkphp/html/public/index.php ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:04 +0100] "GET /TP/public/index.php HTTP/1.1" 404 143 "-" =~ phppma/index.php ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:04 +0100] "GET /TP/public/index.php HTTP/1.1" 404 143 "-" =~ 000000000000.cfg ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:04 +0100] "GET /TP/public/index.php HTTP/1.1" 404 143 "-" =~ 0015650000000.cfg ]]
+ for P in "${Patterns[@]}"
+ [[ 11.11.11.11 - - [00/Oct/2019:07:38:04 +0100] "GET /TP/public/index.php HTTP/1.1" 404 143 "-" =~ secure/ContactAdministrators!default.jspa ]]
I assume your definition.conf has tabs in it ( or lots of spaces )

I split the options cheaply using ${P#* }
which removes everything upto and including the first space

you could try ${P##* } which will remove everything upto and including the last space

Really I need the raw file so I can deal with the white space

or, output of

Code:
cat -A definition.conf
 
2 members found this post helpful.
Old 10-17-2019, 05:53 PM   #36
Firerat
Senior Member
 
Registered: Oct 2008
Distribution: Debian sid
Posts: 2,630

Rep: Reputation: 749Reputation: 749Reputation: 749Reputation: 749Reputation: 749Reputation: 749Reputation: 749
another option is to read the definition.conf into an array
and put it back as a single element with space as sep

Code:
Patterns=()
while read -a foo
do
    Patterns+=("${foo[*]}")
done < ${definition}
all a bit hacky


Edit:
if you don't actually care about the "type" , you could just ditch the first field

Code:
Patterns=()
while read -a foo
do
    Patterns+=("${foo[1]}")
done < ${definition}
tabs and spaces will split the line into two elements, the first field ( 0 in bash array ) is the "type" and second field ( 1 in bash array ) is the pattern

Last edited by Firerat; 10-17-2019 at 06:21 PM.
 
1 members found this post helpful.
Old 10-17-2019, 06:15 PM   #37
pedropt
Member
 
Registered: Aug 2014
Distribution: Devuan
Posts: 250

Original Poster
Rep: Reputation: Disabled
Yes my friend , you are really a Pro on programming and detecting problems in code .
You are right , i just left 1 single space between the intrusion detection and the lines to compare , and now works perfectly .

https://i.postimg.cc/RZNKXPqZ/defedited.jpg

However what was more strange to me was the fact that on 1 system worked perfectly , and on the server this problem pop up !! this is the reason why some posts before i told you that the code did not work , and you posted here your files .

Now i know what is the problem , but i will never understand why on my local station works perfectly without changing anything in definition.conf .

Anyway , thank you again , and thank you for your patience on this thread .
 
Old 10-17-2019, 06:39 PM   #38
Firerat
Senior Member
 
Registered: Oct 2008
Distribution: Debian sid
Posts: 2,630

Rep: Reputation: 749Reputation: 749Reputation: 749Reputation: 749Reputation: 749Reputation: 749Reputation: 749
I did upload the one I was using, that will explain it
I copied it from post #18, it was in a quoted text box, which trims white space
I should have quoted the post and Copied the "raw" text.
but tbh I don't recall noting it was quote box and not code box

btw you still need to fix those patterns,
things like |?()*[]+ have special meaning in regular expressions
 
1 members found this post helpful.
Old 10-18-2019, 02:59 PM   #39
pedropt
Member
 
Registered: Aug 2014
Distribution: Devuan
Posts: 250

Original Poster
Rep: Reputation: Disabled
Firerat i have a last question , and i am asking it because i have difficulties understanding you code .

If server log were like this :

Quote:
/TP/public/index.php
/TP/index.php
/thinkphp/html/public/index.php
/html/public/index.php
../../mnt/custom/ProductDefinition
/.well-known/keybase.txt
"\x03\x00\x00/*\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr"
What changes in code would be needed to do the same job based in this next code of you .
or it does not make any difference ?


Code:
CheckPatterns () {
IP=$1
while read LOG
do
        for P in "${Patterns[@]}"
        do
                [[ ${LOG} =~ ${P#* } ]] && echo ${P% *} matches ${ipd}
        done
done < <(grep "$IP" serverlog.tmp )

return $?
}
Patterns=()
while read foo
do
        Patterns+=("${foo}")
done < definition.conf

echo -n "Write IP : "
read -r ipd
# TODO check to see if $ipd looks like a valid ip address

CheckPatterns $ipd
 
Old 10-18-2019, 03:11 PM   #40
Firerat
Senior Member
 
Registered: Oct 2008
Distribution: Debian sid
Posts: 2,630

Rep: Reputation: 749Reputation: 749Reputation: 749Reputation: 749Reputation: 749Reputation: 749Reputation: 749
well, you have no IP


why are you testing?

we are loading the test patterns into array

Code:
Patterns=()
while read foo
do
        Patterns+=("${foo}")
done < definition.conf
that is just the same


this fails with your new serverlog.tmp
as it has no IP
Code:
CheckPatterns () {
IP=$1
while read LOG
do
        for P in "${Patterns[@]}"
        do
                [[ ${LOG} =~ ${P#* } ]] && echo ${P% *} matches ${ipd}
        done
done < <(grep "$IP" serverlog.tmp )

return $?
}


this "fixes" it
Code:
CheckPatterns () {
while read LOG
do
        for P in "${Patterns[@]}"
        do
                [[ ${LOG} =~ ${P#* } ]] && echo ${P% *} matches ${LOG} 
        done
done < serverlog.tmp

return $?
}
but it is useless as you don't have any IP to action
 
Old 10-18-2019, 03:19 PM   #41
Firerat
Senior Member
 
Registered: Oct 2008
Distribution: Debian sid
Posts: 2,630

Rep: Reputation: 749Reputation: 749Reputation: 749Reputation: 749Reputation: 749Reputation: 749Reputation: 749
or am I just confused?

is this new "layout" the patterns you search for ?

if it is, then you need to change

${P#* } to ${P}

as one
Code:
"\x03\x00\x00/*\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr"
has a space in it

where are you getting these patterns from?

I'm half convinced they are real patterns as they are, but I do get confused with the all the various forms of reg exp.
 
Old 10-18-2019, 03:39 PM   #42
pedropt
Member
 
Registered: Aug 2014
Distribution: Devuan
Posts: 250

Original Poster
Rep: Reputation: Disabled
in definitions file it is only as : mstshash=Administr
the serverlog will contain all those encoded chars .

so basically we are searching this string "mstshash=Administr" in a file that contains also this line ""\x03\x00\x00/*\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr" , but that file from serverlog also contains all the others in my previous post , so this new change from ${P#* } to ${P} , hope it does not interfere with all other searches not related with this line .

Despite the fact that on your code we implemented the ask for an ip , in fact on the script where this will work , the IP is already in a variable on memory .

This next code belongs to the real script i have here , where is just a simple part where that code will work .
Basically what i am doing here to save time is to grab all entries from that ip to a single file called "ipres" , and the i run your code to see if any of the entries from ipres matches the definition file , in case something pops up , the i fill a new variable called epl , ahead in code if that variable from you code returns empty than it means that nothing was found .

Code:
CheckPatterns () {
IP=$1
while read LOG
do
    for P in "${Patterns[@]}"
    do
        [[ ${LOG} =~ ${P#* } ]] && epl=${P% *}
    done
done < <(grep "$IP" $path/ipres )

return $?
}

function autochk(){
deffile="/def/definition.conf"
rm -rf $path/ipres >/dev/null 2>&1
echo ""
echo -ne "* - Grabing IP from all services logs..."
grep "$ip" $logmail   > $path/ipres >/dev/null 2>&1
grep "$ip" $logmail1 >> $path/ipres >/dev/null 2>&1
grep "$ip" $loghttp | awk '{print$7}' >> $path/ipres >/dev/null 2>&1
grep "$ip" $loghttps | awk '{print$7}' >> $path/ipres >/dev/null 2>&1
if [[ -s "$path/ipres" ]]
then
Patterns=()
while read -a foo
do
    Patterns+=("${foo}")
done < $deffile
while read IP
do
    CheckPatterns $IP
done < <( echo $ip )
echo "Done"
echo ""
if [[ -z "$epl" ]]
then
echo "It was not found any pattern in definitions"
echo "Check all ip logs found in $path/ipres"
sleep 4
fi
else
echo "There is no logged information for $ip , probably a port scan"
fi

}
 
Old 10-18-2019, 03:57 PM   #43
Firerat
Senior Member
 
Registered: Oct 2008
Distribution: Debian sid
Posts: 2,630

Rep: Reputation: 749Reputation: 749Reputation: 749Reputation: 749Reputation: 749Reputation: 749Reputation: 749
this is were I remember everything is fragmented again.

this is just a small cog in a much bigger machine

the patterns should be reg. expressions
something I have hinted at but you seem to keep ignoring that.

you need to work on the definitions.conf file and make sure they are regular expressions

I hacked that definitions.conf into an array, that code needs to be cleaned up

you say you wanted to fix the script after changing the server log
but to me it looks like you changed the definition.conf
 
Old 10-18-2019, 04:02 PM   #44
Firerat
Senior Member
 
Registered: Oct 2008
Distribution: Debian sid
Posts: 2,630

Rep: Reputation: 749Reputation: 749Reputation: 749Reputation: 749Reputation: 749Reputation: 749Reputation: 749
stop


Code:
grep "$ip" $loghttp | awk '{print$7}'
sloppy code


better
Code:
<${loghttp} awk '/'$ip'/{print $7}'


you need to re-write everything
after reading

https://mywiki.wooledge.org/BashGuide
and
https://www.tldp.org/LDP/Bash-Beginners-Guide/html/

Last edited by Firerat; 10-18-2019 at 04:03 PM. Reason: missing '
 
Old 10-18-2019, 04:49 PM   #45
MadeInGermany
Senior Member
 
Registered: Dec 2011
Location: Simplicity
Posts: 1,227

Rep: Reputation: 561Reputation: 561Reputation: 561Reputation: 561Reputation: 561Reputation: 561
Better change the test to
Code:
  [[ ${LOG} =~ "${P#* }" ]]
The ${P#* } should be in quotes to become a literal string,
otherwise it is an ERE with special characters.
Even better:
Code:
  [[ ${LOG} == *"${P#* }"* ]]
The == glob match is a "full line" match, so needs to be surrounded by * (any characters).

Likewise, change to fgrep or grep -F to search for a string rather then a BRE:
Code:
 fgrep "$IP" serverlog.tmp
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
directory exists but no such directory exists yumito Linux - Newbie 3 06-09-2013 03:02 AM
[SOLVED] Search for a pattern and if it exists change some other text on the line KRevotsk Linux - Newbie 14 04-18-2013 03:23 PM
trying to change part of text with sequence for filename Adol Linux - Newbie 6 01-13-2013 12:02 PM
To exists or not to exists, this is the Q. Inbal Linux - Newbie 3 07-18-2006 07:04 AM
SIOCADDRT: File exists SIOCCADDRT: File Exists Failed to bring up eth0. opsraja Linux - Networking 0 01-10-2005 09:29 AM

LinuxQuestions.org > Forums > Non-*NIX Forums > Programming

All times are GMT -5. The time now is 08:44 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration