Just some quick hacks. Example usage:
createdb test
./filter access_log | psql test
psql test
test=# select count(*) from attack ;
count
-------
34927
(1 row)
test=# select distinct offender from attack ;
offender
-----------------
4.3.15.82
4.3.91.244
4.3.100.18
...
218.2.150.229
218.7.184.45
218.11.107.131
218.17.66.36
218.64.5.17
(9267 rows)
test=# select count(*) from attack where timestamp >= current_timestamp
- cast('1 week' as interval);
count
-------
21649
(1 row)
Also...
Modify the filter script to not output the postgresql header/footer and
you can grab ip/timestamp/request fields using cut/awk.
mv access_log access_log.save
mkfifo access_log
(restart apache)
./filter access_log |cut -d'|' -f1-1 |sort |uniq >someplace
No warranties etc. ;-)
Matt
On Fri, 2001-09-21 at 18:15, Martin Stricker wrote:
> Matthew Kennedy wrote:
> >
> > Looks like you have two types of scum in there: Nimda and one of the
> > two Red Code versions. I have a sed and awk combo using a named-fifo
> > at home that will filter out the junk and log offending IP numbers
> > and timestamps *on the fly*.
>
> Would you ming posting these scripts here (or mail them to me in
> private) and tell me how to make it work?
>
> > I'm still not sure what to do that information though...
>
> Write new iptables rules to block these IP addresses (at least for a
> while) so you won't get scanned again from them. But I fear you'll have
> to "service network restart" every time, but I'm not sure about it.
>
> Best regards,
> Martin Stricker
filter.dat
#!/bin/sh
cat <<EOF
create table attack (
offender inet,
timestamp timestamp,
fingerprint varchar(1024)
);
copy attack from stdin using delimiters '|';
EOF
cut -d'|' -f1-1 <filter.dat >filter.grep
perl -nwe '/^(\d+\.\d+.\d+.\d+)\s.*\[(.+)\].*\"(.+)\"/; print "$1|$2|$3\n";' <$1 | \
grep -f filter.grep
cat <<EOF
\.
create table worms (
fingerprint varchar(1024),
label varchar(20)
);
copy worms from stdin using delimiters '|';
EOF
cat filter.dat
cat <<EOF
\.
EOF
