On Jul 7, 10:58pm, David Demland wrote:
> Subject: Re: Port Probes Again
> Here is what the current log looks like:
> 
> Jul  6 19:38:04 localhost kernel: Packet log: input DENY eth1 PROTO=17
> 200.1.28.20:1024 255.255.255.255:6612 L=46 S=0x00 I=28629 F=0x0000 T=63
> (#34)
> Jul  6 19:38:04 localhost kernel: Packet log: input DENY eth1 PROTO=17
> 200.1.28.20:1024 255.255.255.255:6612 L=56 S=0x00 I=28630 F=0x0000 T=63
> (#34)
> Jul  6 19:38:04 localhost kernel: Packet log: input DENY eth1 PROTO=17
> 200.1.28.20:1024 255.255.255.255:6612 L=56 S=0x00 I=28631 F=0x0000 T=63
> (#34)
> Jul  6 19:38:04 localhost kernel: Packet log: input DENY eth1 PROTO=17
> 200.1.28.20:1024 255.255.255.255:6612 L=46 S=0x00 I=28632 F=0x0000 T=63
> (#34)
> Jul  6 19:38:04 localhost kernel: Packet log: input DENY eth1 PROTO=17
> 200.1.28.20:1024 255.255.255.255:6612 L=56 S=0x00 I=28633 F=0x0000 T=63
> (#34)
> Jul  6 19:38:05 localhost kernel: Packet log: input DENY eth1 PROTO=17
> 24.8.65.123:7778 255.255.255.255:7777 L=64 S=0x00 I=63193 F=0x0000 T=128
> (#34)
> Jul  6 19:38:06 localhost kernel: Packet log: input DENY eth1 PROTO=17
> 169.254.172.44:2519 255.255.255.255:2519 L=54 S=0x00 I=45704 F=0x0000 T=128
> (#34)
> Jul  6 19:38:06 localhost kernel: Packet log: input DENY eth1 PROTO=17
> 10.10.10.10:3419 255.255.255.255:123 L=76 S=0x00 I=26896 F=0x0000 T=128
> (#34)
> Jul  6 19:38:09 localhost kernel: Packet log: input DENY eth1 PROTO=17
> 200.1.28.20:1024 255.255.255.255:6612 L=56 S=0x00 I=28634 F=0x0000 T=63
> (#34)
> Jul  6 19:38:09 localhost kernel: Packet log: input DENY eth1 PROTO=17
> 200.1.28.20:1024 255.255.255.255:6612 L=56 S=0x00 I=28635 F=0x0000 T=63
> (#34)
> Jul  6 19:38:09 localhost kernel: Packet log: input DENY eth1 PROTO=17
> 200.1.28.20:1024 255.255.255.255:6612 L=46 S=0x00 I=28636 F=0x0000 T=63
> (#34)
> Jul  6 19:38:09 localhost kernel: Packet log: input DENY eth1 PROTO=17
> 200.1.28.20:1024 255.255.255.255:6612 L=56 S=0x00 I=28637 F=0x0000 T=63
> (#34)
> Jul  6 19:38:09 localhost kernel: Packet log: input DENY eth1 PROTO=17
> 200.1.28.20:1024 255.255.255.255:6612 L=56 S=0x00 I=28639 F=0x0000 T=63
> (#34)
> Jul  6 19:38:09 localhost kernel: Packet log: input DENY eth1 PROTO=17
> 200.1.28.20:1024 255.255.255.255:6612 L=56 S=0x00 I=28640 F=0x0000 T=63
> (#34)
> Jul  6 19:38:09 localhost kernel: Packet log: input DENY eth1 PROTO=17
> 200.1.28.20:1024 255.255.255.255:6612 L=56 S=0x00 I=28641 F=0x0000 T=63
> (#34)

Try the following script:

--- ipaddrs ---
#!/usr/bin/perl -w

my %ipaddrs;

while (<>) {
    while (/(\b\d+\.\d+\.\d+\.\d+\b)/g) {
	my $addr = $1;
	next if $addr =~ /^255\./;
	$ipaddrs{$addr}++;
    }
}

foreach my $addr (sort {$ipaddrs{$b} <=> $ipaddrs{$a}} keys %ipaddrs) {
    print "$addr: $ipaddrs{$addr}\n";
}
--- end ipaddrs ---

It'll sort the addresses by the number of times that they occur in the
input stream.  E.g, when I run it on your example data above, I get
the following output:

ocotillo:ptests$ ./ipaddrs ipaddrs.data 
200.1.28.20: 12
24.8.65.123: 1
10.10.10.10: 1
169.254.172.44: 1

It is possible (easy, even) to enhance this script so that it does
lots of other things, like keeping track of the port numbers that a
given IP address attempting to probe and summarizing this data as
well.

Kevin