First of all, thanks for taking the time to read my post.
So, here I have a file from my honeypot which record IP addresses and web pages visited. I would like to manipulate it in order to create Snort signatures and ACLs.
But I am having troubles to extract the src IP address and the web page visited from the following log: mylog.log
So as I said, I would like to extract the src_ip address (192.168.230.1) and web pages visited (/Webcam/webcam.html and /cgi-bin/camctrl.cgi)
The file is pretty big and the best would be to put the results into variable like:
$ip_src=192.168.230.1
$content=/Webcam/webcam.html
I can't get my head around it and I have been trying using sed and grep but without success. Any help would be greatly appreciated.
Thanks a lot.
Ben
Works like a charm jayan_jay!
However there is still a slight issue, because sometimes (I am using Nessus for my test), the connection is establish but no web page has been visited. Therefore, the ip_src appears but with nothing no content. In that case, if there is no web page visited, is it possible not to print the ip_src?
Moreover, I would like to use the variables created in a C/C++ script, do you have any idea how to do it?
Thanks a lot for you help.
Edit: Or if the web page name is inferior at 5 characters, do not print. cheers
---------- Post updated at 03:38 PM ---------- Previous update was at 12:56 PM ----------
Also, I have been trying to understand how the nawk command you posted works but it looks like chinese to me. Would you mind giving me a short explanation.
Thanks so much.
Ben
Also, I have been trying to understand how the nawk command you posted works but it looks like chinese to me. Would you mind giving me a short explanation.
Thanks so much.
Ben
nawk -F"[\",]" Use double-quote and comma as (input) field separators. (Line 1 field 1 is now '--MARK--', field 2 is blank, field 3 is 'Thu Oct 13... ' etc). /MARK/||/GET/ For lines containing MARK or GET... {print $2,$9} print field 2 and field 9. Note that for some lines these are empty strings.
With some square brackets to (hopefully) make the output a bit clearer, this is what comes out of the (n)awk command:
This is then piped into: cut -d' ' cut with a field delimiter of space -f2 and output field 2.
So if I do understand it:
the double quote and coma field separators are only used for lines containing MARK.
line containing GET use a space separator.
Also I didn't understand why it was the field 9 that will print the IP address.
So I tried them all on Unix:
[$X,$1] --Mark --
--EndMark--
[$X,$2] Blank
[$X,$3] Thu
[$X,$4] Thu
[$X,$5] Blank
[$X,$6] webmin/http
[$X,$7] webmin/http
[$X,$8] Blanc
[$2,$9] 192.168.230.1
But it makes no sense, or does it ? I was thinking that we used the double-quote and coma to separate fields. Therefore the 192.168.230.1 should have been the 4th field. No?
Lines which don't match the pattern (MARK or GET) are just discarded, but all lines are using the same separators for input - double quote and comma. So the string ," in is a blank field (or two, if it was at the start or end of the line), and "," is two blank fields (or three, if it was at the start or end of a line).
e.g. for the first two lines:
Fields 2 and 9 are output with a space separator, which gets us:
as the input to cut (note the leading space in the first line and the trailing space on the second).
Since cut is using space as a separator this breaks down to:
Is that any clearer? Probably not - I think I even confused myself with my edits!
Hello,
I want to add a letter to the end of a string if it repeats in a column.
so if I have a file like this:
DOG001
DOG0023
DOG004
DOG001
DOG0023
DOG001
the output should look like this:
DOG001-a
DOG0023-a
DOG004
DOG001-b (15 Replies)
Florida State University, Tallahassee, FL, USA, Dr. Whalley, COP4342 Unix Tools.
This program takes much of my previous assignment but adds the functionality of printing the concatenated line numbers found within the input.
Sample input from <> operator:
Hello World
This is hello
a sample... (2 Replies)
I have a file data_1.out which contains:
1|abc mail|mail subject|mail body
2|def mail|mail subject|def mail body
I am trying to read the variables from data_1.out and use them to print to 2 different files based on the id (first_column)
The problem is I am not able to read the file... (8 Replies)
I want to get newvar outside the while
any ideas?
while read myline; do
var=${myline}
newvar1=$(let "$var")
done
echo $newvar1
I found it its ok now Thank you! (0 Replies)
Dear all, today I'm scratching my head with a simple (I believe) issue.
Working with date is quite simple, so if I Need to add some seconds to current time, I'll use:
date --date='+30 seconds' +"%Y-%m-%d %H:%M:%S"But, how to pass the value to add from a variable? I tried the following without... (2 Replies)
Experts,
I have a bash shell script that generates 2 variables that have the current minute and a minute from a log file. Can someone please show me the best way to test if the minutes stray by 5. So basically if:
This is ok:
Last Fitting Min
=============
02
Current Minute
=============... (2 Replies)
hi,
want to create script that takes name of directory and all files and will copy each file to new directory.
then fix errors like files do not exist or no permission to create new directory...
these what I have so far...
#!/bin/sh
dir=~/Documents/Scripts/Copy
for i in $(pwd) $(ls)... (23 Replies)
Hello,
I want to writte a script that replace two character strings by two variables with the command sed butmy solution doesn't work. I'm written this: sed "s/TTFactivevent/$TTFav/g && s/switchSLL/$SLL/g" templatefile.
I want to replace TTFactivevent by the variable $TTFav, that is a... (4 Replies)
Man it has been too long since I have had to do this type of stuff...
OK I have a file with lines in it looking like this:
bob:johnson:email@email.com (most lines)
john:F.:doe:email2@email.com (but some are like this)
I need to loop through and assign vars to the values:
var Fname =... (29 Replies)
HI,
Can't seem to find anything on the forums to fix this.
I have a file, one line within this will not have a specific string at the end.
I have the string, but need to append it to the specific line which has it missing.
I need to use a variable for this, $string - I am using double... (13 Replies)