[plug] grep -v on subnets
Brad Campbell
brad at fnarfbargle.com
Sat Mar 12 09:47:02 AWST 2022
G'day all,
I've knocked up a simple log processor in bash to dump ip addresses that access our zimbra server on a daily basis.
It's not pretty but it works :
LIST=`zcat $LOGNOW | \
grep -o 'oip=[^;]*' | \
sed 's/oip=//g' | \
sort | \
uniq | \
egrep -v '(^192.168.|^10.8.)' `
At the moment it gives me a list like :
1.126.106.244
1.126.109.132
1.146.128.86
1.146.135.178
1.146.167.203
1.146.169.253
1.146.174.225
1.146.175.139
That is yesterdays list and are all Telstra mobile CGNAT addresses. I'd like to be able to filter those based on the known telstra subnets and just leave the outliers (like the continuous stream of Russian bots hitting the EWS port scanning for Exchange vulnerabilities)
What I'd like to be able to do is replace the final egrep with something that can handle subnets (and a list of them), for example : 1.128.0.0/11, 1.120.0.0/13, 192.168.0.0/16, 10.0.0.0/8
Before I converted the whole thing to python and implemented subnet filtering I thought I'd ask and see if anyone has something clever they've used/seen.
Regards,
Brad
More information about the plug
mailing list