I want to do this first as a quick command, then leverage BASH scripting to automate this.
What I used in http://slackfiles.blogspot.com/2007/12/modsecurity-again.html apparently isn't working when trying to parse the firewall logs. I don't get it, but then again, I'm tired. I'll try again tomorrow.
The new logs look like the below (showing in /var/log/syslog instead of /var/log/messages of my old setup):
Jul 8 22:55:19 starchild kernel: BLOCKED: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:00:0c:db:fc:8b:59:08:00 SRC=64.47.32.59 DST=64.62.231.220 LEN=48 TOS=0x00 PREC=0x00 TTL=249 ID=39747 DF PROTO=TCP SPT=3405 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0
I may need to leverage Awk (I was close to doing this before I upgraded the server from v9.0 to v12.0).
Stay tuned!
1 comment:
For one, I would be thinking about deploying ULOGD, so you can write firewall information to it's own file instead of filling up syslog. Also added bonus is that you won't get much false positives (the chance is probably nil anyway).
Along with awk, have a look at uniq(1) - report or omit repeated lines. It can count how many times something happens. I guess the most easy way, would be to grep for SRC .. run awk -F= and then count with uniq
Hope that helps.
BP{k}
Post a Comment