1

How can I grep count and sort iptables log to get IPs quantity and DPT? Like I used this oneliner to get top IP quantity. 

egrep -w "Invalid Packet" ipfirewall.log | grep -o '[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\.[0-9]*' | sort | uniq -c | sort -r -n | head

But how to get IP by DPT? So it will be:

250 192.168.1.1 DPT=3306
150 192.168.1.2 DPT=445
50 192.168.1.3 DPT=23
20 192.168.1.4 DPT=22

Log format:

Jul 19 04:50:28 server1 kernel: IN=eth0 OUT= MAC=xx:xx SRC=124.153.186.56 DST=xx.xx.xx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=19312 DF PROTO=TCP SPT=4379 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0
Jul 19 04:50:28 server1 kernel: IN=eth0 OUT= MAC=xx:xx SRC=124.153.186.56 DST=xx.xx.xx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=47534 DF PROTO=TCP SPT=2339 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0

-== UPDATE ==-

i think i found something

grep eth0 ipfirewall.log | sed -r 's/.*SRC=(\S+).*PROTO=(\S+).*DPT=(\S+).*/\1 \2 \3/' | sort | uniq -c | sort -r -n

    ....
5 98.169.236.61 UDP 47841
5 70.177.175.182 TCP 80
5 111.91.181.224 UDP 33468
4 74.82.169.171 TCP 135
4 61.191.56.198 TCP 1433
4 61.176.222.153 TCP 1433
4 61.155.203.4 TCP 1433
4 59.92.155.105 TCP 80
4 121.10.172.216 TCP 1433
4 119.148.162.42 TCP 1433
4 117.197.191.18 TCP 80
3 160.218.75.210 TCP 445
    ....
ADM
  • 1,373
  • 12
  • 16
  • Since iptables has some flexibility about the log format, can you give us the rule that you are using for logging and some example entries from the log file? – Zoredache Jul 18 '12 at 23:38
  • log format updated – ADM Jul 18 '12 at 23:51
  • if i sort like this: sed -r 's/.*SRC=(\S+).*PROTO=(\S+).*DPT=(\S+).*/\1 \2 \3/' ipfirewall.log | sort | uniq -c | sort -r -n it gives me some text and other information, like log reboot etc :) – ADM Jul 19 '12 at 12:03
  • for some reason it shows SRC not DST address in output – Suncatcher Aug 11 '17 at 10:00

2 Answers2

1

This is something python is really good at.

from collections import Counter

with open('iptables.log', 'r') as log:
  ip_addresses = []
    for line in log:
        valueList = line.split(' ')
        valueDict = {
            'date':valueList[0]+valueList[1]+valueList[2],
            'src_ip':valueList[8][4:]
            'dst_ip':valueList[9][4:]
        }
        ip_addresses.append(valueDict['src_ip'])
print(Counter(ip_addresses))

Im sure you can find a one liner, but this is easier to write and maintain.

mzhaase
  • 3,798
  • 2
  • 20
  • 32
0

You can use awk to extract the fields you are interested in, and then use sort and uniq as before.

% awk '{print $9 " " $19}' log | sort | uniq -c | sort -gr | head
      2 SRC=124.153.186.56 DPT=23

This assumes that all fields exist in all log messages and in the same order. If this isn't the case you probably need to use a proper scripting language like Python or Ruby.

mgorven
  • 30,615
  • 7
  • 79
  • 122