Unix: Looking for evil in your firewall logs

Firewall logs. There's never enough time to review them, but you can't ignore them. Here's one way to look for malicious connections without spending a lot of time at it.


If we find any matches, we display a message such as "FOUND: 3982 time(s)".

Say you have a list of known to be hostile IP address that starts like this:

The script will run through the second while loop once for each of these addresses looking to see if any match the addresses we have collected in our hash.

You could do the same thing with grep, of course, but you would be grepping through your millions of records as many times as you have addresses in your hostile systems list and this could take many hours. I find this method of using a Perl hash to count occurrences and running through the firewall log only once to be much easier and considerably faster.

Read more of Sandra Henry-Stocker's Unix as a Second Language blog and follow the latest IT news at ITworld, Twitter and Facebook.

Photo Credit: 

flickr / ARendle

Join us:






Spotlight on ...
Online Training

    Upgrade your skills and earn higher pay

    Readers to share their best tips for maximizing training dollars and getting the most out self-directed learning. Here’s what they said.


    Learn more

Answers - Powered by ITworld

Ask a Question