Unix: Looking for evil in your firewall logs

Firewall logs. There's never enough time to review them, but you can't ignore them. Here's one way to look for malicious connections without spending a lot of time at it.


Firewall logs always contain far too much data for you to look into. With the likelihood that you're collecting millions -- if not tens of millions -- of records every day, you don't stand a chance of gathering meaningful insights from them unless you summarize or extract meaningful content. In today's post, we're going to look at a simple script that will tell you, given a list of known hostile addresses, whether any of them have connected to your systems (whether they initiated the connections or not) and how many times this has happened.

This Perl script expects to find two files. I'm referring to them as log.txt (the firewall log) and bad.txt (a list of hostile IP addresses). Obviously, you can switch the names of these files in lines 5 and 6.

This script should also be modified to reflect the name used for your external interface. This script assumes it is called "outside" and that your firewall logs will contain strings such as "outside:" showing the IP address and port of each external connection. Modify the regular expression shown in line 10 -- outside:(\S+)\/ -- if this is not the case. The \S+ extracts the name or IP address of the external system so that it can be added to a hash that also counts how many times we see this system as we comb through the log file one line at a time. The \/ specifies that a / follows the address, the \ being used as an escape to ensure the following / is taken literally.

#!/usr/bin/perl -w

my %outside=();

open LOG," ) {
    if ( ! exists $outside{$ext} ) {
        $outside{$ext}=1;			# add to hash
    } else {
        $outside{$ext}++;			# increment connection counter

# look through list of hostile IP addresses to see if any have been seen in log
while (  ) {
    if ( exists $outside{$_} ) {
        print "FOUND: $_ $outside{$_} time(s)\n";

Once we have combed through the entire log and built our hash showing how many times each connection has occurred, we run through the list of known hostile addresses and look for a corresponding hash entry (i.e., evidence that we have had connections to the hostile systems).

Photo Credit: 

flickr / ARendle

Join us:






SecurityWhite Papers & Webcasts

See more White Papers | Webcasts

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question