Hi first of all, thanks to those who helped. Sorry to karsten who seem to dislike yahoo mail, I'll get a decent mua nxt time. However, I still need a bit more help. Here's the list of my scripts that clearly needs cleaning/fixing... (see below), I've included the data for clarity. data: scans.txt Jun 9 00:03:09 MY.NET.98.162:6112 -> 24.130.240.72:6112 UDP Jun 9 00:03:09 MY.NET.98.162:6112 -> 172.158.9.12:6112 UDP Jun 9 00:03:10 MY.NET.98.162:6112 -> 24.190.43.195:6112 UDP Jun 9 00:15:31 144.51.17.1:53 -> MY.NET.98.126:1219 UDP Jun 9 00:15:31 144.51.17.1:53 -> MY.NET.98.126:1220 UDP Jun 9 00:15:31 144.51.17.1:53 -> MY.NET.98.126:1221 UDP Jun 9 00:15:32 144.51.17.1:53 -> MY.NET.98.126:1222 UDP
#tally number of src ips $ grep '..:..:' scans.txt | cut -d '>' -f 1 | cut -d ' ' -f 4 | cut -d ' :' -f 1 | tr -d ' ' | sort | uniq -c | sort -nr > scan_src_ips_test.log #tally number of dst ips $ grep '..:..:' scans.txt | cut -d '>' -f 2 | cut -d ':' -f 1 | tr -d ' ' | sort | uniq -c | sort -nr > scan_dst_ips_test.log #tally number of dst ports $ grep '..:..:' scans.txt | cut -d '>' -f 2 | cut -d ':' -f 2 | cut -d ' ' -f 1 | tr -d ' ' | sort | uniq -c | sort -nr > scan.dst.ports.log data: alert.txt 08/28-00:00:06.008691 [**] SMB Name Wildcard [**] 200.187.133.51:137 -> MY.NET.132.10:137 08/28-00:16:52.761152 [**] spp_portscan: PORTSCAN DETECTED from MY.NET.201.42 (THRESHOLD 7 connections in 2 seconds) [**] 08/28-00:16:57.561511 [**] spp_portscan: portscan status from MY.NET.201.42: 21 connections across 19 hosts: TCP(0), UDP(21) [**] 08/28-00:17:03.490019 [**] spp_portscan: portscan status from MY.NET.201.42: 2 connections across 2 hosts: TCP(0), UDP(2) [**] 08/28-00:17:05.644140 [**] spp_portscan: PORTSCAN DETECTED from 142.179.38.136 (STEALTH) [**] 08/28-16:48:30.119883 [**] Possible trojan server activity [**] MY.NET.202.42:3530 -> 128.60.33.72:27374 08/28-16:48:30.119933 [**] Possible trojan server activity [**] MY.NET.202.42:3527 -> 128.60.33.69:27374 08/28-17:58:58.378913 [**] Watchlist 000220 IL-ISDNNET-990517 [**] 212.179.43.225:32532 -> MY.NET.225.22:6346 08/28-17:59:00.641257 [**] Watchlist 000220 IL-ISDNNET-990517 [**] 212.179.43.225:32532 -> MY.NET.225.22:6346 08/28-17:59:02.299542 [**] Watchlist 000220 IL-ISDNNET-990517 [**] 212.179.43.225:32532 -> MY.NET.225.22:6346 03/24-00:16:03.220881 [**] spp_portscan: PORTSCAN DETECTED from MY.NET.11.8 (THRESHOLD 4 connections exceeded in 6 seconds) [**] 03/24-00:16:03.515447 [**] spp_portscan: portscan status from MY.NET.11.8: 9 connections across 9 hosts: TCP(0), UDP(9) [**] 03/24-00:16:03.843841 [**] spp_portscan: portscan status from MY.NET.11.8: 8 connections across 8 hosts: TCP(0), UDP(8) [**] 03/24-00:16:04.105264 [**] spp_portscan: portscan status from MY.NET.11.8: 3 connections across 3 hosts: TCP(0), UDP(3) [**] #tally number of spp_portscans and the corresponding ips help? #tally number of destination ips grep "\[\*\*\]" alerts.txt | grep -v spp_portscan | cut -d \> -f 2 | cut -d : -f 1 | sed s/\ //g | sort | uniq -c | sort -nr > alerts.dstips.log #tally number of destination ports grep "\[\*\*\]" alerts.txt | grep -v spp_portscan | grep -v Tiny\ Fragments | grep -v ICMP\ SRC | cut -d \> -f 2 | cut -d : -f 2 | sed s/\ //g | sort | uniq -c | sort -nr > alerts.dstports.log #tally number of src ips grep "\[\*\*\]" alerts.txt | grep -v spp_portscan | cut -d \] -f 3 | cut -d \- -f 1 | cut -d : -f 1 | sed s/\ //g >> alerts.srcips.log.unsorted grep PORTSCAN alerts.txt | cut -d \] -f 2 | cut -d \ -f 6 | sed s/\ //g >> alerts.srcips.log.unsorted cat alerts.srcips.log.unsorted | sort | uniq -c | sort -nr > alerts.srcips.log __________________________________________________ Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
