Unix: Looking for evil in your firewall logs

Firewall logs. There's never enough time to review them, but you can't ignore them. Here's one way to look for malicious connections without spending a lot of time at it.

By  

If we find any matches, we display a message such as "FOUND: 99.88.77.66 3982 time(s)".

Say you have a list of known to be hostile IP address that starts like this:

173.44.37.226
91.236.75.4
60.168.22.41 
112.123.168.55 
112.101.64.118 
182.91.165.20
188.143.232.31 
198.100.144.223 
60.168.2.239
192.74.232.52 
116.21.124.67

The script will run through the second while loop once for each of these addresses looking to see if any match the addresses we have collected in our hash.

You could do the same thing with grep, of course, but you would be grepping through your millions of records as many times as you have addresses in your hostile systems list and this could take many hours. I find this method of using a Perl hash to count occurrences and running through the firewall log only once to be much easier and considerably faster.

Read more of Sandra Henry-Stocker's Unix as a Second Language blog and follow the latest IT news at ITworld, Twitter and Facebook.

Photo Credit: 

flickr / ARendle

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness