Hello Tony, if I understand your mail correct, you want the possibility to
identify which machines are responsible for the logged traffic to a certain
port .
>Good Evening all,
>
>I'm sorry to ask a question like this, but here goes. I want to expand
>weblet a little and would like some pointers. I'm currently running weblet
>1.2 under Bering v1.1. I like the screens where you can view the hits by
>either port or sorted IP address. What I want to do is, add the
>functionality of the IP address screen to the port screen.
>
>On the IP screen, the addresses are clickable to view the actual hits the
IP
>was associated with. What I would like to do is have the ports be
clickable
>to view a sorted list of IP addresses. So if I clicked port 53, I could
get
>a listing of all the IP's who hit that port. I could then get the
offending
>IP's without having to plow through the current IP list to see who hit what
>port.
>
>Did I describe that clearly enough? I viewed the code to see how the
>different pages are rendered and how the sub routines are called, but I
>don't really know sed. I'm not sure where to start.
You can make following changes to weblet
#edit /var/sh-www/cgi-bin/viewhits
change following to subroutines :
----------
ipsort)
;;
-------
to
------------------------
ipsort)
HEAD='<tr><td width="50"> Hits </td><td>IP-Adress</td><td> </td></tr>'
AUS="`grep "DPT=$content " /var/log/messages |sed 's/.*SRC=/<\/td><td>/
s/ .*$/<\/td><td><\/td><\/tr>/'| sort -n | uniq -c |sort -rn|\
sed 's/^/<tr><td>/`"
titel="hits on port $content"
;;
------------------------
and
portsort)
......
;;
to
-------------------------
portsort)
HEAD='<tr><td>hits</td><td>port</td><td>Service</td></tr>'
AUS=` grep "Shorewall:.* DPT" /var/log/messages |\
sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/'|\
sort | uniq -c |sort -rn |\
while read count port ; do
printf "<tr><td>$count</td><td><a
href=viewhits?ipsort_$port>$port</a></td><td>
grep "\\b$port\\b" /etc/services |sed /^#/d |cut -f 1 |uniq
printf "</td></tr>"
done `
titel="Hits sorted by porttype"
;;
------------------------
Than save viewhits and backup weblet.
this should do the trick ( at least it did it for me.)
If there are more people interested at this kind of information, I could
implement some of those to weblet.
Possible were for example also those ip number that are logged for many
different ports --> scanners.
Any comment is welcomed
Regards
Eric Wolzak
member of the bering Crew
-------------------------------------------------------
This SF.net email is sponsored by: eBay
Get office equipment for less on eBay!
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
