Rabu, 29 Juli 2009

Parsing Vista Firewall Logs: Part III

16.54    No comments

For speed, control, and simplicity, gawk is almost impossible to beat in parsing simple text logs like pfirewall.log. The script below will give you a numerically sorted list by count of the references to Src IPs in pfirewall.log for allowed packets. These sorts give a count (first column) of the unique IPs in numerical order. Note that gawk makes quick work of this searches.

gawk '$3 == "ALLOW" {print $5}' pfirewall.log | sort -nr | uniq -c | sort -nr

6849 192.168.0.4
4317 127.0.0.1
3014 192.168.200.87
1577 10.10.10.74
725 192.168.168.246
680 172.17.5.143
595 fe80::9536:4516:f99:3705
557 ::1
350 fe80::645d:d71d:f845:ac71
265 192.168.150.10
261 169.254.172.113
214 0.0.0.0
122 10.10.10.82
107 85.13.200.108
...

Now we add the Src IP ports:

gawk '$3 == "ALLOW" {print $5" "$7}' pfirewall.log | sort -nr | uniq -c | sort -nr

1609 127.0.0.1 58915
1341 127.0.0.1 58912
214 0.0.0.0 68
132 fe80::9536:4516:f99:3705 -
128 192.168.0.4 137
116 fe80::645d:d71d:f845:ac71 -
107 85.13.200.108 20
106 ::1 -
106 127.0.0.1 -
96 127.0.0.1 52845
76 fe80::ffff:ffff:fffe -
73 127.0.0.1 53249
72 169.254.172.113 137
....

Now we add the DestIP and Dest Ports:

gawk '$3 == "ALLOW" {print $5" "$6" "$8}' pfirewall.log | sort -nr | uniq -c | sort -nr

1609 127.0.0.1 127.0.0.1 58915
1364 192.168.0.4 192.168.0.1 53
1341 127.0.0.1 127.0.0.1 58912
720 192.168.0.4 208.113.141.123 80
668 127.0.0.1 239.255.255.250 1900
661 192.168.200.87 192.168.200.1 53
461 fe80::9536:4516:f99:3705 ff02::1:3 5355
389 10.10.10.74 10.10.10.1 53
379 192.168.0.4 192.168.0.245 80
235 192.168.0.4 69.63.176.175 80
233 fe80::645d:d71d:f845:ac71 ff02::1:3 5355
214 0.0.0.0 255.255.255.255 67
172 192.168.0.4 224.0.0.252 5355
....

Now we sort SrcIP, DestIP, DestPort by uniq IP:

gawk '$3 == "ALLOW" {print $5" "$6" "$8}' pfirewall.log | sort -k 1,3 | uniq -c

214 0.0.0.0 255.255.255.255 67
25 10.0.0.4 10.0.0.255 137
7 10.0.0.4 224.0.0.22 -
1 10.0.0.4 224.0.0.252 137
63 10.0.0.4 224.0.0.252 5355
1 10.0.0.4 239.255.255.250 3702
1 10.10.10.10 224.0.0.1 -
1 10.10.10.74 10.10.10.1 137
13 10.10.10.74 10.10.10.1 2060
389 10.10.10.74 10.10.10.1 53
1 10.10.10.74 10.10.10.1 67
19 10.10.10.74 10.10.10.255 137
2 10.10.10.74 12.129.210.71 80
2 10.10.10.74 12.129.210.76 80
...

As above, but now sorted by count of Uniq IP:

gawk '$3 == "ALLOW" {print $5" "$6" "$8}' pfirewall.log | sort -k 1,3 | uniq -c | sort -nr

1609 127.0.0.1 127.0.0.1 58915
1364 192.168.0.4 192.168.0.1 53
1341 127.0.0.1 127.0.0.1 58912
720 192.168.0.4 208.113.141.123 80
664 127.0.0.1 239.255.255.250 1900
661 192.168.200.87 192.168.200.1 53
461 fe80::9536:4516:f99:3705 ff02::1:3 5355
389 10.10.10.74 10.10.10.1 53
379 192.168.0.4 192.168.0.245 80
235 192.168.0.4 69.63.176.175 80
233 fe80::645d:d71d:f845:ac71 ff02::1:3 5355
214 0.0.0.0 255.255.255.255 67
172 192.168.0.4 224.0.0.252 5355
167 169.254.172.113 224.0.0.252 5355
154 172.17.5.143 172.17.5.1 53
147 192.168.0.4 207.115.66.86 80
140 192.168.150.10 192.168.150.1 53
136 192.168.200.87 206.223.158.41 443
...

0 komentar:

Posting Komentar

Langganan: Posting Komentar (Atom)