Re: [leaf-user] weblet/sed question
*** REPLY SEPARATOR *** On 5/30/2003 at 10:43 PM Tony wrote, in part: ...I want to expand weblet a little... ...What I want to do is, add the functionality of the IP address screen to the port screen... On the IP screen, the addresses are clickable to view the actual hits the IP was associated with. What I would like to do is have the ports be clickable to view a sorted list of IP addresses. So if I clicked port 53, I could get a listing of all the IP's who hit that port. I could then get the offending IP's without having to plow through the current IP list to see who hit what port. Did I describe that clearly enough? Made sense to me. :o) I'd like to have that functionality too, and I hope if you make such changes you'll share them with the rest of us. Sometimes I want to sanity-check that ONE hit on my FTP port amidst the hundreds of pings and Windows file-sharing probes and backdoor tests. Thing is though, you don't have to plow through the current IP list even now. If there are certain port hits that concern you on the port screen, make a note of them, then flip over to the 0 firewall log and use your browser's search function. You can very quickly step through all the hits on that specific port in that particular log. Not saying that what you're suggesting is not worthwhile; I want it and would use it, for sure. Just pointing out there IS a possibly easier way to get at the data than what you're currently doing. Cheers, James --- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
;Re: [leaf-user] weblet/sed question
Hello Tony, if I understand your mail correct, you want the possibility to
identify which machines are responsible for the logged traffic to a certain
port .
Good Evening all,
I'm sorry to ask a question like this, but here goes. I want to expand
weblet a little and would like some pointers. I'm currently running weblet
1.2 under Bering v1.1. I like the screens where you can view the hits by
either port or sorted IP address. What I want to do is, add the
functionality of the IP address screen to the port screen.
On the IP screen, the addresses are clickable to view the actual hits the
IP
was associated with. What I would like to do is have the ports be
clickable
to view a sorted list of IP addresses. So if I clicked port 53, I could
get
a listing of all the IP's who hit that port. I could then get the
offending
IP's without having to plow through the current IP list to see who hit what
port.
Did I describe that clearly enough? I viewed the code to see how the
different pages are rendered and how the sub routines are called, but I
don't really know sed. I'm not sure where to start.
You can make following changes to weblet
#edit /var/sh-www/cgi-bin/viewhits
change following to subroutines :
--
ipsort)
;;
---
to
ipsort)
HEAD='trtd width=50 Hits /tdtdIP-Adress/tdtdnbsp;/td/tr'
AUS=`grep DPT=$content /var/log/messages |sed 's/.*SRC=/\/tdtd/
s/ .*$/\/tdtd\/td\/tr/'| sort -n | uniq -c |sort -rn|\
sed 's/^/trtd/`
titel=hits on port $content
;;
and
portsort)
..
;;
to
-
portsort)
HEAD='trtdhits/tdtdport/tdtdService/td/tr'
AUS=` grep Shorewall:.* DPT /var/log/messages |\
sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/'|\
sort | uniq -c |sort -rn |\
while read count port ; do
printf trtd$count/tdtda
href=viewhits?ipsort_$port$port/a/tdtd
grep \\b$port\\b /etc/services |sed /^#/d |cut -f 1 |uniq
printf /td/tr
done `
titel=Hits sorted by porttype
;;
Than save viewhits and backup weblet.
this should do the trick ( at least it did it for me.)
If there are more people interested at this kind of information, I could
implement some of those to weblet.
Possible were for example also those ip number that are logged for many
different ports -- scanners.
Any comment is welcomed
Regards
Eric Wolzak
member of the bering Crew
---
This SF.net email is sponsored by: eBay
Get office equipment for less on eBay!
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] weblet/sed question
On Fri, 30 May 2003, Tony wrote:
Good Evening all,
I'm sorry to ask a question like this, but here goes. I want to expand
weblet a little and would like some pointers. I'm currently running weblet
1.2 under Bering v1.1. I like the screens where you can view the hits by
either port or sorted IP address. What I want to do is, add the
functionality of the IP address screen to the port screen.
On the IP screen, the addresses are clickable to view the actual hits the IP
was associated with. What I would like to do is have the ports be clickable
to view a sorted list of IP addresses. So if I clicked port 53, I could get
a listing of all the IP's who hit that port. I could then get the offending
IP's without having to plow through the current IP list to see who hit what
port.
Did I describe that clearly enough? I viewed the code to see how the
different pages are rendered and how the sub routines are called, but I
don't really know sed. I'm not sure where to start.
Any pointers would be helpful.
Be sure you recognize that you need to know HTML and CGI concepts also.
But if sed is the issue for you, then really, you _do_ know where to
start.
I would suggest man sed, man 7 regex, and Google regular expression.
A brief decomposition of the hitssort option in viewhits to get you
started (from an old version of weblet, so my comments may not apply to
the current version):
###
HEAD='trtd width=20%Hits/tdtdIP-Adress/tdtdDate/td/tr'
AUS=`grep Shorewall: /var/log/messages |\
sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\\/td\\td\\a
href=\viewhits?x_\3\\\3\\/a\\/td\\td\\1\\/td\\\/tr\/'|\
sort |uniq -c | sort -rn |sed 's/^/\tr\\td\/'`
titel=hits sorted by frequency and ip address
###
This is three shell variable assignments used later in the script. The
second one uses the backtick operator to invoke a pipeline to take
/var/log/messages and reformat lines containing Shorewall:. The
pipeline has six commands:
###
grep Shorewall: /var/log/messages |\
sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\\/td\\td\\a
href=\viewhits?x_\3\\\3\\/a\\/td\\td\\1\\/td\\\/tr\/'|\
sort |\
uniq -c |\
sort -rn |\
sed 's/^/\tr\\td\/'
###
You can invoke subsets of this pipeline interactively at the shell prompt
to see what it is doing, like
###
grep Shorewall: /var/log/messages
###
or
###
grep Shorewall: /var/log/messages |\
sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\\/td\\td\\a
href=\viewhits?x_\3\\\3\\/a\\/td\\td\\1\\/td\\\/tr\/'
###
The sed invocation is using the substitute command (s/x/y/). In this
case every line in the input is expected to match this command, so every
line will have this substitution applied. sed requires an inordinate
amount of escaping to protect special characters, so the pattern it is
searching for is really:
###
(.{6})(.*SRC=)(.*)( DST=.*)
###
.{6} matches any six consecutive characters, while .* matches any zero or
more characters. The * notation is greedy so the largest number of
characters possible is used... which effectively pushes the .{6} up
against the beginning of each line of input, where the date (e.g. May
31) is found. The second .* grabs all the characters between SRC= and
the space before DST=. Note that this is not the only way this could be
expressed... I would have written this search pattern as
###
^(.{6}).*SRC=(.*) DST=.*$
###
which would anchor the six characters to be grabbed from the beginning
of the line, would not remember (with parentheses) all that junk that
isn't going to be used later, and would clearly show that the pattern was
to extend to the end of the line.
Which brings us to sub-matches... the matched portions of the pattern that
fall inside the parentheses. The s/x/y/ command replaces the x with y,
where y in this case is (really one line)
###
\\/td\\td\\a
href=\viewhits?x_\3\\\3\\/a\\/td\\td\\1\\/td\\\/tr\
###
or, more readably
###
/tdtda
[leaf-user] weblet/sed question
Good Evening all, I'm sorry to ask a question like this, but here goes. I want to expand weblet a little and would like some pointers. I'm currently running weblet 1.2 under Bering v1.1. I like the screens where you can view the hits by either port or sorted IP address. What I want to do is, add the functionality of the IP address screen to the port screen. On the IP screen, the addresses are clickable to view the actual hits the IP was associated with. What I would like to do is have the ports be clickable to view a sorted list of IP addresses. So if I clicked port 53, I could get a listing of all the IP's who hit that port. I could then get the offending IP's without having to plow through the current IP list to see who hit what port. Did I describe that clearly enough? I viewed the code to see how the different pages are rendered and how the sub routines are called, but I don't really know sed. I'm not sure where to start. Any pointers would be helpful. Thanks Tony --- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
