Re: Egreping for Addressed

• Previous message: John Brightwell: "Fire Alarms and physical security"
• In reply to: Spamme Herefool: "Egreping for Addressed"
• Next in thread: Richard Arends: "Re: Egreping for Addressed"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 4 Aug 2003 11:00:42 -0500 (CDT)
To: <security-basics@securityfocus.com>

> classB. Given that:
>
> Assume the ClassB is "abc.def.X.X"
> Assume the ClassC is "123.456.789.Y",
>
> What would be the easiest way to grep out all allowed classB and classC
> addresses (from our remote sites) from the logs before parsing further?
>
> Seems this can be done on one, maybe two statements

Maybe you're looking for something like:

grep -v "^abc.def" access_log | grep -v "^123.456.789"

which would match any line NOT (-v) starting (^) with abc.def and pass the
result to another grep which would return lines not starting with
123.456.789. I tossed in the ^ to make sure I was getting the hit IP and
not something goofy like part of a GET statement later in the line.

Something that you might already know but that bit me... If any of the
numbers are less than 3 digits you'll have to careful.

Grepping my logs with

grep "^12"

I get 12.x.x.x AND 129.x.x.x.

grep "^12\." returns me the wanted 12.x.x.x but not 129.x.x.x

So.... all told

tail -n 1000 access_log | grep -v "12\." | grep -v "139\.30\.8\." | cut -d
" " -f 1 | sort | uniq

gives me a list of IPs not in 12. or 139.30.8 (but could still be in .80)
in the last 1000 lines of my log.

Hope this helps,

Michael

---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Previous message: John Brightwell: "Fire Alarms and physical security"
• In reply to: Spamme Herefool: "Egreping for Addressed"
• Next in thread: Richard Arends: "Re: Egreping for Addressed"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]