Perl Monk, Perl Meditation | |
PerlMonks |
comment on |
( [id://3333]=superdoc: print w/replies, xml ) | Need Help?? |
I've been using this for some time, and having a wee bit o'spare time lately, decided it might possibly maybe perhaps be of use to fellow monks. So without further ado, I offer for your consideration a perl one-liner that can help you to know when your box is being probed by sckiddies and crackers.
ippl is a *nix packet logger. By configuring it to log suspicous packets in a longer format than mundane packets, and by resolving their source address, you can trivially extract info on nefarious goings-on. The example log below illustrates my web server being probed for nonexistant FTP, DNS, and WINS services. * relevent chunk from ippl.conf:
* sample lines from ippl.log:
* sample munged output:
* from a perlish perspective, it matches any line containing an open-paren *unless* the paren is immediately preceeded by the word "time". perldoc perlre says that's a zero-width positive lookahead assertion. Update: Hmmm... props to blakem for cleaner and more recognizable syntax below. I vaguely recall seeing that in perlre, but must've already had this'un working. perl -ne 'print if (/\(/ && $` !~ /time$/)' < ippl.log > ippl.noteworthy In reply to (code) One-liner parses ippl log for suspicious packets by ybiC
|
|