Security Basics mailing list archives
Re: Egreping for Addressed
From: "Michael Patrick" <lists () techiesplace com>
Date: Mon, 4 Aug 2003 11:00:42 -0500 (CDT)
classB. Given that: Assume the ClassB is "abc.def.X.X" Assume the ClassC is "123.456.789.Y", What would be the easiest way to grep out all allowed classB and classC addresses (from our remote sites) from the logs before parsing further? Seems this can be done on one, maybe two statements
Maybe you're looking for something like: grep -v "^abc.def" access_log | grep -v "^123.456.789" which would match any line NOT (-v) starting (^) with abc.def and pass the result to another grep which would return lines not starting with 123.456.789. I tossed in the ^ to make sure I was getting the hit IP and not something goofy like part of a GET statement later in the line. Something that you might already know but that bit me... If any of the numbers are less than 3 digits you'll have to careful. Grepping my logs with grep "^12" I get 12.x.x.x AND 129.x.x.x. grep "^12\." returns me the wanted 12.x.x.x but not 129.x.x.x So.... all told tail -n 1000 access_log | grep -v "12\." | grep -v "139\.30\.8\." | cut -d " " -f 1 | sort | uniq gives me a list of IPs not in 12. or 139.30.8 (but could still be in .80) in the last 1000 lines of my log. Hope this helps, Michael --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Egreping for Addressed Spamme Herefool (Aug 04)
- Re: Egreping for Addressed Michael Patrick (Aug 04)
- Re: Egreping for Addressed Richard Arends (Aug 04)