Re: [leaf-user] weblet/sed question
*** REPLY SEPARATOR *** On 5/30/2003 at 10:43 PM Tony wrote, in part: ...I want to expand weblet a little... ...What I want to do is, add the functionality of the IP address screen to the port screen... On the IP screen, the addresses are clickable to view the actual hits the IP was associated with. What I would like to do is have the ports be clickable to view a sorted list of IP addresses. So if I clicked port 53, I could get a listing of all the IP's who hit that port. I could then get the offending IP's without having to plow through the current IP list to see who hit what port. Did I describe that clearly enough? Made sense to me. :o) I'd like to have that functionality too, and I hope if you make such changes you'll share them with the rest of us. Sometimes I want to sanity-check that ONE hit on my FTP port amidst the hundreds of pings and Windows file-sharing probes and backdoor tests. Thing is though, you don't have to plow through the current IP list even now. If there are certain port hits that concern you on the port screen, make a note of them, then flip over to the 0 firewall log and use your browser's search function. You can very quickly step through all the hits on that specific port in that particular log. Not saying that what you're suggesting is not worthwhile; I want it and would use it, for sure. Just pointing out there IS a possibly easier way to get at the data than what you're currently doing. Cheers, James --- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
;Re: [leaf-user] weblet/sed question
Hello Tony, if I understand your mail correct, you want the possibility to identify which machines are responsible for the logged traffic to a certain port . Good Evening all, I'm sorry to ask a question like this, but here goes. I want to expand weblet a little and would like some pointers. I'm currently running weblet 1.2 under Bering v1.1. I like the screens where you can view the hits by either port or sorted IP address. What I want to do is, add the functionality of the IP address screen to the port screen. On the IP screen, the addresses are clickable to view the actual hits the IP was associated with. What I would like to do is have the ports be clickable to view a sorted list of IP addresses. So if I clicked port 53, I could get a listing of all the IP's who hit that port. I could then get the offending IP's without having to plow through the current IP list to see who hit what port. Did I describe that clearly enough? I viewed the code to see how the different pages are rendered and how the sub routines are called, but I don't really know sed. I'm not sure where to start. You can make following changes to weblet #edit /var/sh-www/cgi-bin/viewhits change following to subroutines : -- ipsort) ;; --- to ipsort) HEAD='trtd width=50 Hits /tdtdIP-Adress/tdtdnbsp;/td/tr' AUS=`grep DPT=$content /var/log/messages |sed 's/.*SRC=/\/tdtd/ s/ .*$/\/tdtd\/td\/tr/'| sort -n | uniq -c |sort -rn|\ sed 's/^/trtd/` titel=hits on port $content ;; and portsort) .. ;; to - portsort) HEAD='trtdhits/tdtdport/tdtdService/td/tr' AUS=` grep Shorewall:.* DPT /var/log/messages |\ sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/'|\ sort | uniq -c |sort -rn |\ while read count port ; do printf trtd$count/tdtda href=viewhits?ipsort_$port$port/a/tdtd grep \\b$port\\b /etc/services |sed /^#/d |cut -f 1 |uniq printf /td/tr done ` titel=Hits sorted by porttype ;; Than save viewhits and backup weblet. this should do the trick ( at least it did it for me.) If there are more people interested at this kind of information, I could implement some of those to weblet. Possible were for example also those ip number that are logged for many different ports -- scanners. Any comment is welcomed Regards Eric Wolzak member of the bering Crew --- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] weblet/sed question
On Fri, 30 May 2003, Tony wrote: Good Evening all, I'm sorry to ask a question like this, but here goes. I want to expand weblet a little and would like some pointers. I'm currently running weblet 1.2 under Bering v1.1. I like the screens where you can view the hits by either port or sorted IP address. What I want to do is, add the functionality of the IP address screen to the port screen. On the IP screen, the addresses are clickable to view the actual hits the IP was associated with. What I would like to do is have the ports be clickable to view a sorted list of IP addresses. So if I clicked port 53, I could get a listing of all the IP's who hit that port. I could then get the offending IP's without having to plow through the current IP list to see who hit what port. Did I describe that clearly enough? I viewed the code to see how the different pages are rendered and how the sub routines are called, but I don't really know sed. I'm not sure where to start. Any pointers would be helpful. Be sure you recognize that you need to know HTML and CGI concepts also. But if sed is the issue for you, then really, you _do_ know where to start. I would suggest man sed, man 7 regex, and Google regular expression. A brief decomposition of the hitssort option in viewhits to get you started (from an old version of weblet, so my comments may not apply to the current version): ### HEAD='trtd width=20%Hits/tdtdIP-Adress/tdtdDate/td/tr' AUS=`grep Shorewall: /var/log/messages |\ sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\\/td\\td\\a href=\viewhits?x_\3\\\3\\/a\\/td\\td\\1\\/td\\\/tr\/'|\ sort |uniq -c | sort -rn |sed 's/^/\tr\\td\/'` titel=hits sorted by frequency and ip address ### This is three shell variable assignments used later in the script. The second one uses the backtick operator to invoke a pipeline to take /var/log/messages and reformat lines containing Shorewall:. The pipeline has six commands: ### grep Shorewall: /var/log/messages |\ sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\\/td\\td\\a href=\viewhits?x_\3\\\3\\/a\\/td\\td\\1\\/td\\\/tr\/'|\ sort |\ uniq -c |\ sort -rn |\ sed 's/^/\tr\\td\/' ### You can invoke subsets of this pipeline interactively at the shell prompt to see what it is doing, like ### grep Shorewall: /var/log/messages ### or ### grep Shorewall: /var/log/messages |\ sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\\/td\\td\\a href=\viewhits?x_\3\\\3\\/a\\/td\\td\\1\\/td\\\/tr\/' ### The sed invocation is using the substitute command (s/x/y/). In this case every line in the input is expected to match this command, so every line will have this substitution applied. sed requires an inordinate amount of escaping to protect special characters, so the pattern it is searching for is really: ### (.{6})(.*SRC=)(.*)( DST=.*) ### .{6} matches any six consecutive characters, while .* matches any zero or more characters. The * notation is greedy so the largest number of characters possible is used... which effectively pushes the .{6} up against the beginning of each line of input, where the date (e.g. May 31) is found. The second .* grabs all the characters between SRC= and the space before DST=. Note that this is not the only way this could be expressed... I would have written this search pattern as ### ^(.{6}).*SRC=(.*) DST=.*$ ### which would anchor the six characters to be grabbed from the beginning of the line, would not remember (with parentheses) all that junk that isn't going to be used later, and would clearly show that the pattern was to extend to the end of the line. Which brings us to sub-matches... the matched portions of the pattern that fall inside the parentheses. The s/x/y/ command replaces the x with y, where y in this case is (really one line) ### \\/td\\td\\a href=\viewhits?x_\3\\\3\\/a\\/td\\td\\1\\/td\\\/tr\ ### or, more readably ### /tdtda
[leaf-user] weblet/sed question
Good Evening all, I'm sorry to ask a question like this, but here goes. I want to expand weblet a little and would like some pointers. I'm currently running weblet 1.2 under Bering v1.1. I like the screens where you can view the hits by either port or sorted IP address. What I want to do is, add the functionality of the IP address screen to the port screen. On the IP screen, the addresses are clickable to view the actual hits the IP was associated with. What I would like to do is have the ports be clickable to view a sorted list of IP addresses. So if I clicked port 53, I could get a listing of all the IP's who hit that port. I could then get the offending IP's without having to plow through the current IP list to see who hit what port. Did I describe that clearly enough? I viewed the code to see how the different pages are rendered and how the sub routines are called, but I don't really know sed. I'm not sure where to start. Any pointers would be helpful. Thanks Tony --- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html