Port Probes Again

David Demland demland@home.com
Sat, 8 Jul 2000 12:13:31 -0700 

Thank You. This seems to work. I will have to get a book on perl next.

David
----- Original Message -----
From: Kevin Buettner <kev@primenet.com>
To: <plug-discuss@lists.PLUG.phoenix.az.us>
Sent: Saturday, July 08, 2000 12:24 AM
Subject: Re: Port Probes Again


> On Jul 7, 10:58pm, David Demland wrote:
> > Subject: Re: Port Probes Again
> > Here is what the current log looks like:
> >
> > Jul  6 19:38:04 localhost kernel: Packet log: input DENY eth1 PROTO=17
> > 200.1.28.20:1024 255.255.255.255:6612 L=46 S=0x00 I=28629 F=0x0000 T=63
> > (#34)
> > Jul  6 19:38:04 localhost kernel: Packet log: input DENY eth1 PROTO=17
> > 200.1.28.20:1024 255.255.255.255:6612 L=56 S=0x00 I=28630 F=0x0000 T=63
> > (#34)
> > Jul  6 19:38:04 localhost kernel: Packet log: input DENY eth1 PROTO=17
> > 200.1.28.20:1024 255.255.255.255:6612 L=56 S=0x00 I=28631 F=0x0000 T=63
> > (#34)
> > Jul  6 19:38:04 localhost kernel: Packet log: input DENY eth1 PROTO=17
> > 200.1.28.20:1024 255.255.255.255:6612 L=46 S=0x00 I=28632 F=0x0000 T=63
> > (#34)
> > Jul  6 19:38:04 localhost kernel: Packet log: input DENY eth1 PROTO=17
> > 200.1.28.20:1024 255.255.255.255:6612 L=56 S=0x00 I=28633 F=0x0000 T=63
> > (#34)
> > Jul  6 19:38:05 localhost kernel: Packet log: input DENY eth1 PROTO=17
> > 24.8.65.123:7778 255.255.255.255:7777 L=64 S=0x00 I=63193 F=0x0000 T=128
> > (#34)
> > Jul  6 19:38:06 localhost kernel: Packet log: input DENY eth1 PROTO=17
> > 169.254.172.44:2519 255.255.255.255:2519 L=54 S=0x00 I=45704 F=0x0000
T=128
> > (#34)
> > Jul  6 19:38:06 localhost kernel: Packet log: input DENY eth1 PROTO=17
> > 10.10.10.10:3419 255.255.255.255:123 L=76 S=0x00 I=26896 F=0x0000 T=128
> > (#34)
> > Jul  6 19:38:09 localhost kernel: Packet log: input DENY eth1 PROTO=17
> > 200.1.28.20:1024 255.255.255.255:6612 L=56 S=0x00 I=28634 F=0x0000 T=63
> > (#34)
> > Jul  6 19:38:09 localhost kernel: Packet log: input DENY eth1 PROTO=17
> > 200.1.28.20:1024 255.255.255.255:6612 L=56 S=0x00 I=28635 F=0x0000 T=63
> > (#34)
> > Jul  6 19:38:09 localhost kernel: Packet log: input DENY eth1 PROTO=17
> > 200.1.28.20:1024 255.255.255.255:6612 L=46 S=0x00 I=28636 F=0x0000 T=63
> > (#34)
> > Jul  6 19:38:09 localhost kernel: Packet log: input DENY eth1 PROTO=17
> > 200.1.28.20:1024 255.255.255.255:6612 L=56 S=0x00 I=28637 F=0x0000 T=63
> > (#34)
> > Jul  6 19:38:09 localhost kernel: Packet log: input DENY eth1 PROTO=17
> > 200.1.28.20:1024 255.255.255.255:6612 L=56 S=0x00 I=28639 F=0x0000 T=63
> > (#34)
> > Jul  6 19:38:09 localhost kernel: Packet log: input DENY eth1 PROTO=17
> > 200.1.28.20:1024 255.255.255.255:6612 L=56 S=0x00 I=28640 F=0x0000 T=63
> > (#34)
> > Jul  6 19:38:09 localhost kernel: Packet log: input DENY eth1 PROTO=17
> > 200.1.28.20:1024 255.255.255.255:6612 L=56 S=0x00 I=28641 F=0x0000 T=63
> > (#34)
>
> Try the following script:
>
> --- ipaddrs ---
> #!/usr/bin/perl -w
>
> my %ipaddrs;
>
> while (<>) {
>     while (/(\b\d+\.\d+\.\d+\.\d+\b)/g) {
> my $addr = $1;
> next if $addr =~ /^255\./;
> $ipaddrs{$addr}++;
>     }
> }
>
> foreach my $addr (sort {$ipaddrs{$b} <=> $ipaddrs{$a}} keys %ipaddrs) {
>     print "$addr: $ipaddrs{$addr}\n";
> }
> --- end ipaddrs ---
>
> It'll sort the addresses by the number of times that they occur in the
> input stream.  E.g, when I run it on your example data above, I get
> the following output:
>
> ocotillo:ptests$ ./ipaddrs ipaddrs.data
> 200.1.28.20: 12
> 24.8.65.123: 1
> 10.10.10.10: 1
> 169.254.172.44: 1
>
> It is possible (easy, even) to enhance this script so that it does
> lots of other things, like keeping track of the port numbers that a
> given IP address attempting to probe and summarizing this data as
> well.
>
> Kevin
>
> _______________________________________________
> Plug-discuss mailing list  -  Plug-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss