Re: [leaf-user] weblet/sed question
*** REPLY SEPARATOR *** On 5/30/2003 at 10:43 PM Tony wrote, in part: ...I want to expand weblet a little... ...What I want to do is, add the functionality of the IP address screen to the port screen... On the IP screen, the addresses are clickable to view the actual hits the IP was associated with. What I would like to do is have the ports be clickable to view a sorted list of IP addresses. So if I clicked port 53, I could get a listing of all the IP's who hit that port. I could then get the offending IP's without having to plow through the current IP list to see who hit what port. Did I describe that clearly enough? Made sense to me. :o) I'd like to have that functionality too, and I hope if you make such changes you'll share them with the rest of us. Sometimes I want to sanity-check that ONE hit on my FTP port amidst the hundreds of pings and Windows file-sharing probes and backdoor tests. Thing is though, you don't have to plow through the current IP list even now. If there are certain port hits that concern you on the port screen, make a note of them, then flip over to the 0 firewall log and use your browser's search function. You can very quickly step through all the hits on that specific port in that particular log. Not saying that what you're suggesting is not worthwhile; I want it and would use it, for sure. Just pointing out there IS a possibly easier way to get at the data than what you're currently doing. Cheers, James --- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
;Re: [leaf-user] weblet/sed question
Hello Tony, if I understand your mail correct, you want the possibility to
identify which machines are responsible for the logged traffic to a certain
port .
Good Evening all,
I'm sorry to ask a question like this, but here goes. I want to expand
weblet a little and would like some pointers. I'm currently running weblet
1.2 under Bering v1.1. I like the screens where you can view the hits by
either port or sorted IP address. What I want to do is, add the
functionality of the IP address screen to the port screen.
On the IP screen, the addresses are clickable to view the actual hits the
IP
was associated with. What I would like to do is have the ports be
clickable
to view a sorted list of IP addresses. So if I clicked port 53, I could
get
a listing of all the IP's who hit that port. I could then get the
offending
IP's without having to plow through the current IP list to see who hit what
port.
Did I describe that clearly enough? I viewed the code to see how the
different pages are rendered and how the sub routines are called, but I
don't really know sed. I'm not sure where to start.
You can make following changes to weblet
#edit /var/sh-www/cgi-bin/viewhits
change following to subroutines :
--
ipsort)
;;
---
to
ipsort)
HEAD='trtd width=50 Hits /tdtdIP-Adress/tdtdnbsp;/td/tr'
AUS=`grep DPT=$content /var/log/messages |sed 's/.*SRC=/\/tdtd/
s/ .*$/\/tdtd\/td\/tr/'| sort -n | uniq -c |sort -rn|\
sed 's/^/trtd/`
titel=hits on port $content
;;
and
portsort)
..
;;
to
-
portsort)
HEAD='trtdhits/tdtdport/tdtdService/td/tr'
AUS=` grep Shorewall:.* DPT /var/log/messages |\
sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/'|\
sort | uniq -c |sort -rn |\
while read count port ; do
printf trtd$count/tdtda
href=viewhits?ipsort_$port$port/a/tdtd
grep \\b$port\\b /etc/services |sed /^#/d |cut -f 1 |uniq
printf /td/tr
done `
titel=Hits sorted by porttype
;;
Than save viewhits and backup weblet.
this should do the trick ( at least it did it for me.)
If there are more people interested at this kind of information, I could
implement some of those to weblet.
Possible were for example also those ip number that are logged for many
different ports -- scanners.
Any comment is welcomed
Regards
Eric Wolzak
member of the bering Crew
---
This SF.net email is sponsored by: eBay
Get office equipment for less on eBay!
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] PPTP w/dachstein
I am currently trying to setup a VPN via pptp. My understanding is that I need to do three things on my Dachstein firewall first. They are: 1) load the ip_masq_pptp module 2) open protocol 47 3) open port 1723 I have loaded the pptp module and I can see from the logs that it is going through : # lsmod Module PagesUsed by ip_masq_pptp4116 0 ip_masq_vdolive 1180 0 (unused) ip_masq_user3708 0 (unused) log: May 30 17:03:23 firewall kernel: ip_masq_pptp_tcp(): OUT_CALL_REQUEST 192.168.1.2 - 24.233.124.101 CID=0 MCID=EF5C May 30 17:03:23 firewall kernel: ip_demasq_pptp_tcp(): OUT_CALL_REPLY 192.168.1.2 - 24.233.124.101 CID=0 MCID=EF5C May 30 17:16:45 firewall kernel: Packet log: input DENY eth0 PROTO=47 24.233.124.101:65535 24.233.115.144:65535 L=54 S=0x00 I=5010 F=0x4000 T=63 (#43) My problem lies with opening protocol 47 ; I am trying to use ipchains to open it but I can't figure out the right command Please help Thanks in advance, Brian Fisher --- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] weblet extension version 2
Hello Tony Another variant is to change in the file viewhits the option ipsort to - ipsort) HEAD='trtd width=50 Hits /tdtdIP-Adress/tdtdnbsp;/td/tr' AUS=`grep DPT=$content /var/log/messages |\ sed 's/.*SRC=\(.* \)DST.*$/a href=viewhits?x_\1\1\/a\/tdtd\/td\/tr/'| sort -n | uniq -c |sort -rn|\ sed 's/^/trtd/ s/a/\/tdtda/` ;; --- this is a little bit slower but let you click on each ip address that tried to connect to the certain port and shows the messages that it caused, including those to another port Regards Eric Wolzak member of the bering crew --- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] weblet/sed question
On Fri, 30 May 2003, Tony wrote:
Good Evening all,
I'm sorry to ask a question like this, but here goes. I want to expand
weblet a little and would like some pointers. I'm currently running weblet
1.2 under Bering v1.1. I like the screens where you can view the hits by
either port or sorted IP address. What I want to do is, add the
functionality of the IP address screen to the port screen.
On the IP screen, the addresses are clickable to view the actual hits the IP
was associated with. What I would like to do is have the ports be clickable
to view a sorted list of IP addresses. So if I clicked port 53, I could get
a listing of all the IP's who hit that port. I could then get the offending
IP's without having to plow through the current IP list to see who hit what
port.
Did I describe that clearly enough? I viewed the code to see how the
different pages are rendered and how the sub routines are called, but I
don't really know sed. I'm not sure where to start.
Any pointers would be helpful.
Be sure you recognize that you need to know HTML and CGI concepts also.
But if sed is the issue for you, then really, you _do_ know where to
start.
I would suggest man sed, man 7 regex, and Google regular expression.
A brief decomposition of the hitssort option in viewhits to get you
started (from an old version of weblet, so my comments may not apply to
the current version):
###
HEAD='trtd width=20%Hits/tdtdIP-Adress/tdtdDate/td/tr'
AUS=`grep Shorewall: /var/log/messages |\
sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\\/td\\td\\a
href=\viewhits?x_\3\\\3\\/a\\/td\\td\\1\\/td\\\/tr\/'|\
sort |uniq -c | sort -rn |sed 's/^/\tr\\td\/'`
titel=hits sorted by frequency and ip address
###
This is three shell variable assignments used later in the script. The
second one uses the backtick operator to invoke a pipeline to take
/var/log/messages and reformat lines containing Shorewall:. The
pipeline has six commands:
###
grep Shorewall: /var/log/messages |\
sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\\/td\\td\\a
href=\viewhits?x_\3\\\3\\/a\\/td\\td\\1\\/td\\\/tr\/'|\
sort |\
uniq -c |\
sort -rn |\
sed 's/^/\tr\\td\/'
###
You can invoke subsets of this pipeline interactively at the shell prompt
to see what it is doing, like
###
grep Shorewall: /var/log/messages
###
or
###
grep Shorewall: /var/log/messages |\
sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\\/td\\td\\a
href=\viewhits?x_\3\\\3\\/a\\/td\\td\\1\\/td\\\/tr\/'
###
The sed invocation is using the substitute command (s/x/y/). In this
case every line in the input is expected to match this command, so every
line will have this substitution applied. sed requires an inordinate
amount of escaping to protect special characters, so the pattern it is
searching for is really:
###
(.{6})(.*SRC=)(.*)( DST=.*)
###
.{6} matches any six consecutive characters, while .* matches any zero or
more characters. The * notation is greedy so the largest number of
characters possible is used... which effectively pushes the .{6} up
against the beginning of each line of input, where the date (e.g. May
31) is found. The second .* grabs all the characters between SRC= and
the space before DST=. Note that this is not the only way this could be
expressed... I would have written this search pattern as
###
^(.{6}).*SRC=(.*) DST=.*$
###
which would anchor the six characters to be grabbed from the beginning
of the line, would not remember (with parentheses) all that junk that
isn't going to be used later, and would clearly show that the pattern was
to extend to the end of the line.
Which brings us to sub-matches... the matched portions of the pattern that
fall inside the parentheses. The s/x/y/ command replaces the x with y,
where y in this case is (really one line)
###
\\/td\\td\\a
href=\viewhits?x_\3\\\3\\/a\\/td\\td\\1\\/td\\\/tr\
###
or, more readably
###
/tdtda
RE: [leaf-user] weblet extension version 2
HI Eric and Jeff, Thanks Eric for the code, this is half of what I was looking for, Jeff gave the other half. If you use the proverb: Give a man a fish, he eats today Teach a man to fish, he eats forever you both gave me one of those lines and I appreciate it. But, I do have some questions about the code, I can get the portsort section to work (from a previous e-mail, but the ipsort section is giving me the headers, but no data under it. I have some observations, but should I move this discussion to the devel list? I don't want to clog up this list with any more messages than necessary. Please advise, and I can pick up with my observations. Thanks, Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of eric wolzak Sent: Saturday, May 31, 2003 12:26 PM To: Tony; Leaf-User Subject: Re: [leaf-user] weblet extension version 2 Hello Tony Another variant is to change in the file viewhits the option ipsort to - ipsort) HEAD='trtd width=50 Hits /tdtdIP-Adress/tdtdnbsp;/td/tr' AUS=`grep DPT=$content /var/log/messages |\ sed 's/.*SRC=\(.* \)DST.*$/a href=viewhits?x_\1\1\/a\/tdtd\/td\/tr/'| sort -n | uniq -c |sort -rn|\ sed 's/^/trtd/ s/a/\/tdtda/` ;; --- this is a little bit slower but let you click on each ip address that tried to connect to the certain port and shows the messages that it caused, including those to another port Regards Eric Wolzak member of the bering crew --- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Kernel panic-syslinux.cfg no good
I thought I had followed the instructions but I apparently missed something here. VFS Can't find Minix blah...on dev 02:00 LINUXRC: Installing - root: root(nf!) etc(nf!) local(nf!) modules(nf!) keyboard(nf!) iptables(nf!) pump(nf!) shorwall(nf!) ulogd(nf!) dnscache(nf!) weblet(nf!) - FINISHED cat: /var/lib/lrpkg/root.pn.links: No such file or directory cat: /var/lib/lrpkg/root.log.links: No such file or directory Can't open /var/lib/lrpkg/root.dev.own Kernel Panic: Attempted to kill init! OK so it can't find the packages for some reason. I found this in the Leaf-users archive: From: Erich Titl [EMAIL PROTECTED] Subject: Re: [leaf-user] Re: Bering using lrpkg.cfg Sounds like a misconfigured syslinux.cfg file, I guess it needs some=20 minimal LRP parameter. HTH Erich As well as this: Thanks Erich. Putting the 'LRP=root,etc' back in syslinux.cfg does indeed enable the packages to load, but that method avoids using lrpkg.cfg at all. I wonder if I've mis-read the documents, or maybe I'll try 'LRP=lrpkg.cfg'? I am surprised, I believe Bering is supposed to work like Dachsteion in this aspect. here is some doc... http://lrp.steinkuehler.net/Packages/LRP-CD.htm 7. The file pkgpath.cfg can be added to your local configuration disk to override the PKGPATH= setting burned onto the CD. 8. The file lrpkg.cfg can be added to your local configuration disk to override the lrp= setting burned onto the CD. I'm not booting from cd so I'm not sure how to use that info. and I haven't removed the LRP variable. I am only using one floppy so the PKGPATH should be correct. The disc is in fact a 1680:msdos. display syslinux.dpy timeout 0 default linux initrd=initrd.lrp init=/linuxrc rw root=/dev/ram0 boot=dev/fd0u1680:msdos PKGPATH=/dev/fd0u1680 LRP=root,etc,local,modules,keyboard,iptables,pump,shorwall,ulogd,dnscache,weblet I'm not sure what to do from here. Maybe the earlier VFS Can't find Minix V2 fs on dev 02:00 is the real culprit but I was under the impression that can't find minix blah was not really an error. Thanks for any advice. -- __ http://www.linuxmail.org/ Now with e-mail forwarding for only US$5.95/yr Powered by Outblaze --- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] dhcpd / bus error
hi all i try to install a dhcp deamon on my soekris/wdist machine. i added dhcpd3 from bering package site ( i also tried a steinkühler dhcpd). here is the problem: if i start dhcpd i get the error bus error whats wrong ... do i need other lrp package ? thanks for helping roland Roland, dhcpd3 is a big package, you probably have to increase your syst_size. I don't know how to do that with wisp, but with Bering you do that by setting the system size in syslinux.cfg (http://leaf.sourceforge.net/devel/jnilo/biaddrm.html#AEN720) Eric --- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Norton AntiVirus detected a virus in a message you sent. The infected attachment was deleted.
Recipient of the infected attachment: PCDEXC002, First Storage Group\Public Folder Store (PCDEXC002), /Palm Coast Data/EMAILCS/ActivePubEmail/Dennis Stuff Inc./Stuff Subject of the message: Re: Submited (004756-3463) One or more attachments were deleted Attachment documents.pif was Deleted for the following reasons: Virus UNAUTHORIZED FILE was found. --- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
