Hello all, Just wanted to look into a "for fun" project, after a recent project that wasn't much fun at all... Our organization got hit by the blaster worm, which hit many, many windows boxes. The *nix boxes (which I manage) were of course unaffected, except by the total lack of bandwidth available to them. Except for one. We have the syslog on our PIX firewall forward on to one of my boxes, so I have an interested detailed log of how the blaster worm spread on our network.
So much for the history, now on to some ideas... I thought it would be interesting to plot two things - 1) How many hits per minute, and 2) Total compromised systems over time. I thought of perl immediately as a good tool to break this rather large file down, but being a newbie I'm not sure how to begin. The format of each line is as follows (IPs changed to protect the lazy): Aug 20 16:57:28 pix %PIX-3-106011: Deny inbound (No xlate) icmp src inside:10.0.0.10 dst inside:10.1.1.23 (type 8, code 0) For the first bit I know I would need to just create a counter for each minute, probably using a regex to increment the counter? For the second I would need to count the source machine IPs, and use a hash(?) to keep track of them, and when each first appears in the logs, then plot that over time? Can anyone give me some ideas where to start? This worm spread incredibly fast in our network, should be interesting to see it charted. Tony -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
