Blocking IPs log from honeyd

crackyblue · 09-18-2007, 01:05 AM

Hi, I just wanted to ask if where i could get a script or similar that can parse honeyd logs that contained detected ip address that are probing. The honeyd.log has these entries.

2007-09-18-06:10:23.4563 tcp(6) - 81.56.254.187 49857 xxx.xxx.xxx.xxx 9887: 60 S [Linux 2.6 ]
2007-09-18-06:20:39.7773 tcp(6) - 64.53.140.163 47515 xx.xxx.xxx.xxx
9887: 60 S [Linux 2.6 ]
2007-09-18-06:21:52.4131 udp(17) - 153.104.74.95 30811 xxx.xxx.xxx.xxx 1026: 394
2007-09-18-06:40:30.1793 tcp(6) - 81.56.254.187 58448 xxx.xxx.xxx.xxx 9887: 60 S [Linux 2.6 ]
2007-09-18-06:46:16.9606 udp(17) - 222.161.2.9 54614 xxx.xxx.xxx.xxx
1027: 921
........ snippets ........

I know these could be done with bash scripts or perl scripts, but im no programmer.. sorry...

Thanks in advance.

HappyTux · 09-19-2007, 10:28 AM

Quote:

Originally Posted by crackyblue

Hi, I just wanted to ask if where i could get a script or similar that can parse honeyd logs that contained detected ip address that are probing. The honeyd.log has these entries.

2007-09-18-06:10:23.4563 tcp(6) - 81.56.254.187 49857 xxx.xxx.xxx.xxx 9887: 60 S [Linux 2.6 ]
2007-09-18-06:20:39.7773 tcp(6) - 64.53.140.163 47515 xx.xxx.xxx.xxx
9887: 60 S [Linux 2.6 ]
2007-09-18-06:21:52.4131 udp(17) - 153.104.74.95 30811 xxx.xxx.xxx.xxx 1026: 394
2007-09-18-06:40:30.1793 tcp(6) - 81.56.254.187 58448 xxx.xxx.xxx.xxx 9887: 60 S [Linux 2.6 ]
2007-09-18-06:46:16.9606 udp(17) - 222.161.2.9 54614 xxx.xxx.xxx.xxx
1027: 921
........ snippets ........

I know these could be done with bash scripts or perl scripts, but im no programmer.. sorry...

Thanks in advance.

I just copied your output to a test file and something like the below should get you the IPs.

Code:

>$ grep - test.txt | cut -d " " -f4
81.56.254.187
64.53.140.163
153.104.74.95
81.56.254.187
222.161.2.9

Try it using the honey.d log in place of test.txt and see what it says you should get similar out to what I did.

crackyblue · 09-19-2007, 07:26 PM

Quote:

Originally Posted by HappyTux

I just copied your output to a test file and something like the below should get you the IPs.

Code:

>$ grep - test.txt | cut -d " " -f4
81.56.254.187
64.53.140.163
153.104.74.95
81.56.254.187
222.161.2.9

Try it using the honey.d log in place of test.txt and see what it says you should get similar out to what I did.

Thank you so much for that one, i never thought it would that simple, I should better get a bash book to ease out a bit some of my administration task. Anyway, i took the manual task of deleting duplicate entries and put it somewhere on the iptables script file where the previous administrator has a script there that reads IPs from a file. So for my last Q, is it ok to have duplicates on the iptables firewall, and does iptables performance gets cranky when that file get bigger? (in my perception, yes).

Again TIA.

HappyTux · 09-19-2007, 10:07 PM

Quote:

Originally Posted by crackyblue

Thank you so much for that one, i never thought it would that simple, I should better get a bash book to ease out a bit some of my administration task. Anyway, i took the manual task of deleting duplicate entries and put it somewhere on the iptables script file where the previous administrator has a script there that reads IPs from a file. So for my last Q, is it ok to have duplicates on the iptables firewall, and does iptables performance gets cranky when that file get bigger? (in my perception, yes).

Again TIA.

If it was setting exactly the same IP then it would not be a duplicate you would just be overwriting the existing rule and it is probably to be expected performance wise the larger the file more rules everything has to pass through so it takes more time to do it.